<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-equiv="Content-Type" content="application/xhtml+xml; charset=UTF-8" />
<meta name="generator" content="AsciiDoc 8.6.10" />
<title>Snort 3 User Manual</title>
<style type="text/css">
/* Shared CSS for AsciiDoc xhtml11 and html5 backends */

/* Default font. */
body {
  font-family: Georgia,serif;
}

/* Title font. */
h1, h2, h3, h4, h5, h6,
div.title, caption.title,
thead, p.table.header,
#toctitle,
#author, #revnumber, #revdate, #revremark,
#footer {
  font-family: Arial,Helvetica,sans-serif;
}

body {
  margin: 1em 5% 1em 5%;
}

a {
  color: blue;
  text-decoration: underline;
}
a:visited {
  color: fuchsia;
}

em {
  font-style: italic;
  color: navy;
}

strong {
  font-weight: bold;
  color: #083194;
}

h1, h2, h3, h4, h5, h6 {
  color: #527bbd;
  margin-top: 1.2em;
  margin-bottom: 0.5em;
  line-height: 1.3;
}

h1, h2, h3 {
  border-bottom: 2px solid silver;
}
h2 {
  padding-top: 0.5em;
}
h3 {
  float: left;
}
h3 + * {
  clear: left;
}
h5 {
  font-size: 1.0em;
}

div.sectionbody {
  margin-left: 0;
}

hr {
  border: 1px solid silver;
}

p {
  margin-top: 0.5em;
  margin-bottom: 0.5em;
}

ul, ol, li > p {
  margin-top: 0;
}
ul > li     { color: #aaa; }
ul > li > * { color: black; }

.monospaced, code, pre {
  font-family: "Courier New", Courier, monospace;
  font-size: inherit;
  color: navy;
  padding: 0;
  margin: 0;
}
pre {
  white-space: pre-wrap;
}

#author {
  color: #527bbd;
  font-weight: bold;
  font-size: 1.1em;
}
#email {
}
#revnumber, #revdate, #revremark {
}

#footer {
  font-size: small;
  border-top: 2px solid silver;
  padding-top: 0.5em;
  margin-top: 4.0em;
}
#footer-text {
  float: left;
  padding-bottom: 0.5em;
}
#footer-badges {
  float: right;
  padding-bottom: 0.5em;
}

#preamble {
  margin-top: 1.5em;
  margin-bottom: 1.5em;
}
div.imageblock, div.exampleblock, div.verseblock,
div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
div.admonitionblock {
  margin-top: 1.0em;
  margin-bottom: 1.5em;
}
div.admonitionblock {
  margin-top: 2.0em;
  margin-bottom: 2.0em;
  margin-right: 10%;
  color: #606060;
}

div.content { /* Block element content. */
  padding: 0;
}

/* Block element titles. */
div.title, caption.title {
  color: #527bbd;
  font-weight: bold;
  text-align: left;
  margin-top: 1.0em;
  margin-bottom: 0.5em;
}
div.title + * {
  margin-top: 0;
}

td div.title:first-child {
  margin-top: 0.0em;
}
div.content div.title:first-child {
  margin-top: 0.0em;
}
div.content + div.title {
  margin-top: 0.0em;
}

div.sidebarblock > div.content {
  background: #ffffee;
  border: 1px solid #dddddd;
  border-left: 4px solid #f0f0f0;
  padding: 0.5em;
}

div.listingblock > div.content {
  border: 1px solid #dddddd;
  border-left: 5px solid #f0f0f0;
  background: #f8f8f8;
  padding: 0.5em;
}

div.quoteblock, div.verseblock {
  padding-left: 1.0em;
  margin-left: 1.0em;
  margin-right: 10%;
  border-left: 5px solid #f0f0f0;
  color: #888;
}

div.quoteblock > div.attribution {
  padding-top: 0.5em;
  text-align: right;
}

div.verseblock > pre.content {
  font-family: inherit;
  font-size: inherit;
}
div.verseblock > div.attribution {
  padding-top: 0.75em;
  text-align: left;
}
/* DEPRECATED: Pre version 8.2.7 verse style literal block. */
div.verseblock + div.attribution {
  text-align: left;
}

div.admonitionblock .icon {
  vertical-align: top;
  font-size: 1.1em;
  font-weight: bold;
  text-decoration: underline;
  color: #527bbd;
  padding-right: 0.5em;
}
div.admonitionblock td.content {
  padding-left: 0.5em;
  border-left: 3px solid #dddddd;
}

div.exampleblock > div.content {
  border-left: 3px solid #dddddd;
  padding-left: 0.5em;
}

div.imageblock div.content { padding-left: 0; }
span.image img { border-style: none; vertical-align: text-bottom; }
a.image:visited { color: white; }

dl {
  margin-top: 0.8em;
  margin-bottom: 0.8em;
}
dt {
  margin-top: 0.5em;
  margin-bottom: 0;
  font-style: normal;
  color: navy;
}
dd > *:first-child {
  margin-top: 0.1em;
}

ul, ol {
    list-style-position: outside;
}
ol.arabic {
  list-style-type: decimal;
}
ol.loweralpha {
  list-style-type: lower-alpha;
}
ol.upperalpha {
  list-style-type: upper-alpha;
}
ol.lowerroman {
  list-style-type: lower-roman;
}
ol.upperroman {
  list-style-type: upper-roman;
}

div.compact ul, div.compact ol,
div.compact p, div.compact p,
div.compact div, div.compact div {
  margin-top: 0.1em;
  margin-bottom: 0.1em;
}

tfoot {
  font-weight: bold;
}
td > div.verse {
  white-space: pre;
}

div.hdlist {
  margin-top: 0.8em;
  margin-bottom: 0.8em;
}
div.hdlist tr {
  padding-bottom: 15px;
}
dt.hdlist1.strong, td.hdlist1.strong {
  font-weight: bold;
}
td.hdlist1 {
  vertical-align: top;
  font-style: normal;
  padding-right: 0.8em;
  color: navy;
}
td.hdlist2 {
  vertical-align: top;
}
div.hdlist.compact tr {
  margin: 0;
  padding-bottom: 0;
}

.comment {
  background: yellow;
}

.footnote, .footnoteref {
  font-size: 0.8em;
}

span.footnote, span.footnoteref {
  vertical-align: super;
}

#footnotes {
  margin: 20px 0 20px 0;
  padding: 7px 0 0 0;
}

#footnotes div.footnote {
  margin: 0 0 5px 0;
}

#footnotes hr {
  border: none;
  border-top: 1px solid silver;
  height: 1px;
  text-align: left;
  margin-left: 0;
  width: 20%;
  min-width: 100px;
}

div.colist td {
  padding-right: 0.5em;
  padding-bottom: 0.3em;
  vertical-align: top;
}
div.colist td img {
  margin-top: 0.3em;
}

@media print {
  #footer-badges { display: none; }
}

#toc {
  margin-bottom: 2.5em;
}

#toctitle {
  color: #527bbd;
  font-size: 1.1em;
  font-weight: bold;
  margin-top: 1.0em;
  margin-bottom: 0.1em;
}

div.toclevel0, div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {
  margin-top: 0;
  margin-bottom: 0;
}
div.toclevel2 {
  margin-left: 2em;
  font-size: 0.9em;
}
div.toclevel3 {
  margin-left: 4em;
  font-size: 0.9em;
}
div.toclevel4 {
  margin-left: 6em;
  font-size: 0.9em;
}

span.aqua { color: aqua; }
span.black { color: black; }
span.blue { color: blue; }
span.fuchsia { color: fuchsia; }
span.gray { color: gray; }
span.green { color: green; }
span.lime { color: lime; }
span.maroon { color: maroon; }
span.navy { color: navy; }
span.olive { color: olive; }
span.purple { color: purple; }
span.red { color: red; }
span.silver { color: silver; }
span.teal { color: teal; }
span.white { color: white; }
span.yellow { color: yellow; }

span.aqua-background { background: aqua; }
span.black-background { background: black; }
span.blue-background { background: blue; }
span.fuchsia-background { background: fuchsia; }
span.gray-background { background: gray; }
span.green-background { background: green; }
span.lime-background { background: lime; }
span.maroon-background { background: maroon; }
span.navy-background { background: navy; }
span.olive-background { background: olive; }
span.purple-background { background: purple; }
span.red-background { background: red; }
span.silver-background { background: silver; }
span.teal-background { background: teal; }
span.white-background { background: white; }
span.yellow-background { background: yellow; }

span.big { font-size: 2em; }
span.small { font-size: 0.6em; }

span.underline { text-decoration: underline; }
span.overline { text-decoration: overline; }
span.line-through { text-decoration: line-through; }

div.unbreakable { page-break-inside: avoid; }


/*
 * xhtml11 specific
 *
 * */

div.tableblock {
  margin-top: 1.0em;
  margin-bottom: 1.5em;
}
div.tableblock > table {
  border: 3px solid #527bbd;
}
thead, p.table.header {
  font-weight: bold;
  color: #527bbd;
}
p.table {
  margin-top: 0;
}
/* Because the table frame attribute is overriden by CSS in most browsers. */
div.tableblock > table[frame="void"] {
  border-style: none;
}
div.tableblock > table[frame="hsides"] {
  border-left-style: none;
  border-right-style: none;
}
div.tableblock > table[frame="vsides"] {
  border-top-style: none;
  border-bottom-style: none;
}


/*
 * html5 specific
 *
 * */

table.tableblock {
  margin-top: 1.0em;
  margin-bottom: 1.5em;
}
thead, p.tableblock.header {
  font-weight: bold;
  color: #527bbd;
}
p.tableblock {
  margin-top: 0;
}
table.tableblock {
  border-width: 3px;
  border-spacing: 0px;
  border-style: solid;
  border-color: #527bbd;
  border-collapse: collapse;
}
th.tableblock, td.tableblock {
  border-width: 1px;
  padding: 4px;
  border-style: solid;
  border-color: #527bbd;
}

table.tableblock.frame-topbot {
  border-left-style: hidden;
  border-right-style: hidden;
}
table.tableblock.frame-sides {
  border-top-style: hidden;
  border-bottom-style: hidden;
}
table.tableblock.frame-none {
  border-style: hidden;
}

th.tableblock.halign-left, td.tableblock.halign-left {
  text-align: left;
}
th.tableblock.halign-center, td.tableblock.halign-center {
  text-align: center;
}
th.tableblock.halign-right, td.tableblock.halign-right {
  text-align: right;
}

th.tableblock.valign-top, td.tableblock.valign-top {
  vertical-align: top;
}
th.tableblock.valign-middle, td.tableblock.valign-middle {
  vertical-align: middle;
}
th.tableblock.valign-bottom, td.tableblock.valign-bottom {
  vertical-align: bottom;
}


/*
 * manpage specific
 *
 * */

body.manpage h1 {
  padding-top: 0.5em;
  padding-bottom: 0.5em;
  border-top: 2px solid silver;
  border-bottom: 2px solid silver;
}
body.manpage h2 {
  border-style: none;
}
body.manpage div.sectionbody {
  margin-left: 3em;
}

@media print {
  body.manpage div#toc { display: none; }
}


@media screen {
  body {
    max-width: 50em; /* approximately 80 characters wide */
    margin-left: 16em;
  }

  #toc {
    position: fixed;
    top: 0;
    left: 0;
    bottom: 0;
    width: 13em;
    padding: 0.5em;
    padding-bottom: 1.5em;
    margin: 0;
    overflow: auto;
    border-right: 3px solid #f8f8f8;
    background-color: white;
  }

  #toc .toclevel1 {
    margin-top: 0.5em;
  }

  #toc .toclevel2 {
    margin-top: 0.25em;
    display: list-item;
    color: #aaaaaa;
  }

  #toctitle {
    margin-top: 0.5em;
  }
}
</style>
<script type="text/javascript">
/*<![CDATA[*/
var asciidoc = {  // Namespace.

/////////////////////////////////////////////////////////////////////
// Table Of Contents generator
/////////////////////////////////////////////////////////////////////

/* Author: Mihai Bazon, September 2002
 * http://students.infoiasi.ro/~mishoo
 *
 * Table Of Content generator
 * Version: 0.4
 *
 * Feel free to use this script under the terms of the GNU General Public
 * License, as long as you do not remove or alter this notice.
 */

 /* modified by Troy D. Hanson, September 2006. License: GPL */
 /* modified by Stuart Rackham, 2006, 2009. License: GPL */

// toclevels = 1..4.
toc: function (toclevels) {

  function getText(el) {
    var text = "";
    for (var i = el.firstChild; i != null; i = i.nextSibling) {
      if (i.nodeType == 3 /* Node.TEXT_NODE */) // IE doesn't speak constants.
        text += i.data;
      else if (i.firstChild != null)
        text += getText(i);
    }
    return text;
  }

  function TocEntry(el, text, toclevel) {
    this.element = el;
    this.text = text;
    this.toclevel = toclevel;
  }

  function tocEntries(el, toclevels) {
    var result = new Array;
    var re = new RegExp('[hH]([1-'+(toclevels+1)+'])');
    // Function that scans the DOM tree for header elements (the DOM2
    // nodeIterator API would be a better technique but not supported by all
    // browsers).
    var iterate = function (el) {
      for (var i = el.firstChild; i != null; i = i.nextSibling) {
        if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {
          var mo = re.exec(i.tagName);
          if (mo && (i.getAttribute("class") || i.getAttribute("className")) != "float") {
            result[result.length] = new TocEntry(i, getText(i), mo[1]-1);
          }
          iterate(i);
        }
      }
    }
    iterate(el);
    return result;
  }

  var toc = document.getElementById("toc");
  if (!toc) {
    return;
  }

  // Delete existing TOC entries in case we're reloading the TOC.
  var tocEntriesToRemove = [];
  var i;
  for (i = 0; i < toc.childNodes.length; i++) {
    var entry = toc.childNodes[i];
    if (entry.nodeName.toLowerCase() == 'div'
     && entry.getAttribute("class")
     && entry.getAttribute("class").match(/^toclevel/))
      tocEntriesToRemove.push(entry);
  }
  for (i = 0; i < tocEntriesToRemove.length; i++) {
    toc.removeChild(tocEntriesToRemove[i]);
  }

  // Rebuild TOC entries.
  var entries = tocEntries(document.getElementById("content"), toclevels);
  for (var i = 0; i < entries.length; ++i) {
    var entry = entries[i];
    if (entry.element.id == "")
      entry.element.id = "_toc_" + i;
    var a = document.createElement("a");
    a.href = "#" + entry.element.id;
    a.appendChild(document.createTextNode(entry.text));
    var div = document.createElement("div");
    div.appendChild(a);
    div.className = "toclevel" + entry.toclevel;
    toc.appendChild(div);
  }
  if (entries.length == 0)
    toc.parentNode.removeChild(toc);
},


/////////////////////////////////////////////////////////////////////
// Footnotes generator
/////////////////////////////////////////////////////////////////////

/* Based on footnote generation code from:
 * http://www.brandspankingnew.net/archive/2005/07/format_footnote.html
 */

footnotes: function () {
  // Delete existing footnote entries in case we're reloading the footnodes.
  var i;
  var noteholder = document.getElementById("footnotes");
  if (!noteholder) {
    return;
  }
  var entriesToRemove = [];
  for (i = 0; i < noteholder.childNodes.length; i++) {
    var entry = noteholder.childNodes[i];
    if (entry.nodeName.toLowerCase() == 'div' && entry.getAttribute("class") == "footnote")
      entriesToRemove.push(entry);
  }
  for (i = 0; i < entriesToRemove.length; i++) {
    noteholder.removeChild(entriesToRemove[i]);
  }

  // Rebuild footnote entries.
  var cont = document.getElementById("content");
  var spans = cont.getElementsByTagName("span");
  var refs = {};
  var n = 0;
  for (i=0; i<spans.length; i++) {
    if (spans[i].className == "footnote") {
      n++;
      var note = spans[i].getAttribute("data-note");
      if (!note) {
        // Use [\s\S] in place of . so multi-line matches work.
        // Because JavaScript has no s (dotall) regex flag.
        note = spans[i].innerHTML.match(/\s*\[([\s\S]*)]\s*/)[1];
        spans[i].innerHTML =
          "[<a id='_footnoteref_" + n + "' href='#_footnote_" + n +
          "' title='View footnote' class='footnote'>" + n + "</a>]";
        spans[i].setAttribute("data-note", note);
      }
      noteholder.innerHTML +=
        "<div class='footnote' id='_footnote_" + n + "'>" +
        "<a href='#_footnoteref_" + n + "' title='Return to text'>" +
        n + "</a>. " + note + "</div>";
      var id =spans[i].getAttribute("id");
      if (id != null) refs["#"+id] = n;
    }
  }
  if (n == 0)
    noteholder.parentNode.removeChild(noteholder);
  else {
    // Process footnoterefs.
    for (i=0; i<spans.length; i++) {
      if (spans[i].className == "footnoteref") {
        var href = spans[i].getElementsByTagName("a")[0].getAttribute("href");
        href = href.match(/#.*/)[0];  // Because IE return full URL.
        n = refs[href];
        spans[i].innerHTML =
          "[<a href='#_footnote_" + n +
          "' title='View footnote' class='footnote'>" + n + "</a>]";
      }
    }
  }
},

install: function(toclevels) {
  var timerId;

  function reinstall() {
    asciidoc.footnotes();
    if (toclevels) {
      asciidoc.toc(toclevels);
    }
  }

  function reinstallAndRemoveTimer() {
    clearInterval(timerId);
    reinstall();
  }

  timerId = setInterval(reinstall, 500);
  if (document.addEventListener)
    document.addEventListener("DOMContentLoaded", reinstallAndRemoveTimer, false);
  else
    window.onload = reinstallAndRemoveTimer;
}

}
asciidoc.install(2);
/*]]>*/
</script>
</head>
<body class="article">
<div id="header">
<h1>Snort 3 User Manual</h1>
<span id="author">The Snort Team</span><br />
</div>
<div id="content">
<div id="preamble">
<div class="sectionbody">
<div class="imageblock">
<div class="content">
<img src="./snorty.png" alt="Snorty" width="480" />
</div>
</div>
<div class="literalblock">
<div class="content">
<pre><code> ,,_     -*&gt; Snort++ &lt;*-
o"  )~   Version 3.0.0 (Build 261)
 ''''    By Martin Roesch &amp; The Snort Team
         http://snort.org/contact#team
         Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
         Copyright (C) 1998-2013 Sourcefire, Inc., et al.</code></pre>
</div></div>
<div id="toc">
  <div id="toctitle">Contents</div>
  <noscript><p><b>JavaScript must be enabled in your browser to display the table of contents.</b></p></noscript>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_overview">Overview</h2>
<div class="sectionbody">
<div class="paragraph"><p>Snort 3.0 is an updated version of the Snort Intrusion Prevention System
(IPS) which features a new design that provides a superset of Snort 2.X
functionality with better throughput, detection, scalability, and
usability.  Some of the key features of Snort 3.0 are:</p></div>
<div class="ulist"><ul>
<li>
<p>
Support multiple packet processing threads
</p>
</li>
<li>
<p>
Use a shared configuration and attribute table
</p>
</li>
<li>
<p>
Autodetect services for portless configuration
</p>
</li>
<li>
<p>
Modular design
</p>
</li>
<li>
<p>
Plugin framework with over 200 plugins
</p>
</li>
<li>
<p>
More scalable memory profile
</p>
</li>
<li>
<p>
LuaJIT configuration, loggers, and rule options
</p>
</li>
<li>
<p>
Hyperscan support
</p>
</li>
<li>
<p>
Rewritten TCP handling
</p>
</li>
<li>
<p>
New rule parser and syntax
</p>
</li>
<li>
<p>
Service rules like alert http
</p>
</li>
<li>
<p>
Rule "sticky" buffers
</p>
</li>
<li>
<p>
Way better SO rules
</p>
</li>
<li>
<p>
New HTTP inspector
</p>
</li>
<li>
<p>
New performance monitor
</p>
</li>
<li>
<p>
New time and space profiling
</p>
</li>
<li>
<p>
New latency monitoring and enforcement
</p>
</li>
<li>
<p>
Piglets to facilitate component testing
</p>
</li>
<li>
<p>
Inspection Events
</p>
</li>
<li>
<p>
Automake and Cmake
</p>
</li>
<li>
<p>
Autogenerate reference documentation
</p>
</li>
</ul></div>
<div class="paragraph"><p>Additional features are on the road map:</p></div>
<div class="ulist"><ul>
<li>
<p>
Use a shared network map
</p>
</li>
<li>
<p>
Support hardware offload for fast pattern acceleration
</p>
</li>
<li>
<p>
Provide support for DPDK and ODP
</p>
</li>
<li>
<p>
Support pipelining of packet processing
</p>
</li>
<li>
<p>
Support proxy mode
</p>
</li>
<li>
<p>
Multi-tennant support
</p>
</li>
<li>
<p>
Incremental reload
</p>
</li>
<li>
<p>
New serialization of perf data and events
</p>
</li>
<li>
<p>
Enhanced rule processing
</p>
</li>
<li>
<p>
Windows support
</p>
</li>
<li>
<p>
Anomaly detection
</p>
</li>
<li>
<p>
and more!
</p>
</li>
</ul></div>
<div class="paragraph"><p>The remainder of this section provides a high level survey of the inputs,
processing, and outputs available with Snort 3.0.</p></div>
<div class="paragraph"><p>Snort++ is the project that is creating Snort 3.0.  In this manual "Snort"
or "Snort 3" refers to the 3.0 version and earlier versions will be
referred to as "Snort 2" where the distinction is relevant.</p></div>
<div class="sect2">
<h3 id="_first_steps">First Steps</h3>
<div class="paragraph"><p>Snort can be configured to perform complex packet processing and deep
packet inspection but it is best start simply and work up to more
interesting tasks.  Snort won&#8217;t do anything you didn&#8217;t specifically ask it
to do so it is safe to just try things out and see what happens.  Let&#8217;s
start by just running Snort with no arguments:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>$ snort</code></pre>
</div></div>
<div class="paragraph"><p>That will output usage information including some basic help commands.  You
should run all of these commands now to see what is available:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>$ snort -V
$ snort -?
$ snort --help</code></pre>
</div></div>
<div class="paragraph"><p>Note that Snort has extensive command line help available so if anything
below isn&#8217;t clear, there is probably a way to get the exact information you
need from the command line.</p></div>
<div class="paragraph"><p>Now let&#8217;s examine the packets in a capture file (pcap):</p></div>
<div class="literalblock">
<div class="content">
<pre><code>$ snort -r a.pcap</code></pre>
</div></div>
<div class="paragraph"><p>Snort will decode and count the packets in the file and output some
statistics.  Note that the output excludes non-zero numbers so it is easy
to see what is there.</p></div>
<div class="paragraph"><p>You may have noticed that there are command line options to limit the
number of packets examined or set a filter to select particular packets.
Now is a good time to experiment with those options.</p></div>
<div class="paragraph"><p>If you want to see details on each packet, you can dump the packets to
console like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>$ snort -r a.pcap -L dump</code></pre>
</div></div>
<div class="paragraph"><p>Add the -d option to see the TCP and UDP payload.  Now let&#8217;s switch to live
traffic.  Replace eth0 in the below command with an available network
interface:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>$ snort -i eth0 -L dump</code></pre>
</div></div>
<div class="paragraph"><p>Unless the interface is taken down, Snort will just keep running, so enter
Control-C to terminate or use the -n option to limit the number of packets.</p></div>
<div class="paragraph"><p>Generally it is better to capture the packets for later analysis like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>$ snort -i eth0 -L pcap -n 10</code></pre>
</div></div>
<div class="paragraph"><p>Snort will write 10 packets to log.pcap.# where # is a timestamp value.
You can read these back with -r and dump to console or pcap with -L.  You
get the idea.</p></div>
<div class="paragraph"><p>Note that you can do similar things with other tools like tcpdump or
Wireshark however these commands are very useful when you want to check
your Snort setup.</p></div>
<div class="paragraph"><p>The examples above use the default pcap DAQ.  Snort supports non-pcap
interfaces as well via the DAQ (data acquisition) library.  Other DAQs
provide additional functionality such as inline operation and/or higher
performance.  There are even DAQs that support raw file processing (ie
without packets), socket processing, and plain text packets.  To load
external DAQ libraries and see available DAQs or select a particular DAQ
use one of these commands:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>$ snort --daq-dir &lt;path&gt; --daq-list
$ snort --daq-dir &lt;path&gt; --daq &lt;type&gt;</code></pre>
</div></div>
<div class="paragraph"><p>Be sure to put the --daq-dir option ahead of the --daq-list option or the
external DAQs won&#8217;t appear in the list.</p></div>
<div class="paragraph"><p>To leverage intrusion detection features of Snort you will need to provide
some configuration details.  The next section breaks down what must be
done.</p></div>
</div>
<div class="sect2">
<h3 id="_configuration">Configuration</h3>
<div class="paragraph"><p>Effective configuration of Snort is done via the environment, command
line, a Lua configuration file, and a set of rules.</p></div>
<div class="paragraph"><p>Note that backwards compatibility with Snort 2 was sacrificed to obtain
new and improved functionality.  While Snort 3 leverages some of the
Snort 2 code base, a lot has changed.  The configuration of Snort 3 is
done with Lua, so your old conf won&#8217;t work as is.  Rules are still text
based but with syntax tweaks, so your 2.X rules must be fixed up.  However,
snort2lua will help you convert your conf and rules to the new format.</p></div>
<div class="sect3">
<h4 id="_command_line">Command Line</h4>
<div class="paragraph"><p>A simple command line might look like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c snort.lua -R cool.rules -r some.pcap -A cmg</code></pre>
</div></div>
<div class="paragraph"><p>To understand what that does, you can start by just running snort with no
arguments by running snort --help.  Help for all configuration and rule
options is available via a suitable command line.  In this case:</p></div>
<div class="paragraph"><p>-c snort.lua is the main configuration file.  This is a Lua script that is
executed when loaded.</p></div>
<div class="paragraph"><p>-R cool.rules contains some detection rules.  You can write your own or
obtain them from Talos (native 3.0 rules are not yet available from Talos
so you must convert them with snort2lua).  You can also put your rules
directly in your configuration file.</p></div>
<div class="paragraph"><p>-r some.pcap tells Snort to read network traffic from the given packet
capture file.  You could instead use -i eth0 to read from a live interface.
There many other options available too depending on the DAQ you use.</p></div>
<div class="paragraph"><p>-A cmg says to output intrusion events in "cmg" format, which has basic
header details followed by the payload in hex and text.</p></div>
<div class="paragraph"><p>Note that you add to and/or override anything in your configuration file by
using the --lua command line option.  For example:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>--lua 'ips = { enable_builtin_rules = true }'</code></pre>
</div></div>
<div class="paragraph"><p>will load the built-in decoder and inspector rules.  In this case, ips is
overwritten with the config you see above.  If you just want to change the
config given in your configuration file you would do it like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>--lua 'ips.enable_builtin_rules = true'</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_configuration_file">Configuration File</h4>
<div class="paragraph"><p>The configuration file gives you complete control over how Snort processes
packets.  Start with the default snort.lua included in the distribution
because that contains some key ingredients.  Note that most of the
configurations look like:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>stream = { }</code></pre>
</div></div>
<div class="paragraph"><p>This means enable the stream module using internal defaults.  To see what
those are, you could run:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --help-config stream</code></pre>
</div></div>
<div class="paragraph"><p>Snort is organized into a collection of builtin and plugin modules.
If a module has parameters, it is configured by a Lua table of the same
name.  For example, we can see what the active module has to offer with
this command:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>$ snort --help-module active</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>What: configure responses</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>Type: basic</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>Configuration:</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>int active.attempts = 0: number of TCP packets sent per response (with
varying sequence numbers) { 0:20 }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>string active.device: use 'ip' for network layer responses or 'eth0' etc
for link layer</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>string active.dst_mac: use format '01:23:45:67:89:ab'</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>int active.max_responses = 0: maximum number of responses { 0: }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>int active.min_interval = 255: minimum number of seconds between
responses { 1: }</code></pre>
</div></div>
<div class="paragraph"><p>This says active is a basic module that has several parameters.  For each,
you will see:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>type module.name = default: help { range }</code></pre>
</div></div>
<div class="paragraph"><p>For example, the active module has a max_responses parameter that takes
non-negative integer values and defaults to zero.  We can change that in
Lua as follows:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>active = { max_responses = 1 }</code></pre>
</div></div>
<div class="paragraph"><p>or:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>active = { }
active.max_responses = 1</code></pre>
</div></div>
<div class="paragraph"><p>If we also wanted to limit retries to at least 5 seconds, we could do:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>active = { max_responses = 1, min_interval = 5 }</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_rules">Rules</h4>
<div class="paragraph"><p>Rules determine what Snort is looking for.  They can be put directly in
your Lua configuration file with the ips module, on the command line with
--lua, or in external files.  Generally you will have many rules obtained
from various sources such as Talos and loading external files is the way to
go so we will summarize that here.  Add this to your Lua configuration:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>ips = { include = 'rules.txt' }</code></pre>
</div></div>
<div class="paragraph"><p>to load the external rules file named rules.txt.  You can only specify
one file this way but rules files can include other rules files with the
include statement.  In addition you can load rules like:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>$ sort -c snort.lua -R rules.txt</code></pre>
</div></div>
<div class="paragraph"><p>You can use both approaches together.</p></div>
</div>
<div class="sect3">
<h4 id="_includes">Includes</h4>
<div class="paragraph"><p>Your configuration file file may include other files, either directly via Lua or via
various parameters.  Snort will find relative includes in the following order:</p></div>
<div class="olist arabic"><ol class="arabic">
<li>
<p>
If you specify --include-path, this directory will be tried first.
</p>
</li>
<li>
<p>
Snort will try the directory containing the including file.
</p>
</li>
<li>
<p>
Snort will try the directory containing the -c configuration file.
</p>
</li>
</ol></div>
<div class="paragraph"><p>Some things to keep in mind:</p></div>
<div class="ulist"><ul>
<li>
<p>
If you use the Lua dofile function, then you must specify absolute paths
  or paths relative to your working directory since Lua will execute the
  include before Snort sees the file contents.
</p>
</li>
<li>
<p>
For best results, use include in place of dofile.  This function is
  provided to follow Snort&#8217;s include logic.
</p>
</li>
<li>
<p>
As of now, appid and reputation paths must be absolute or relative to the
  working directory.  These will be updated in a future release.
</p>
</li>
</ul></div>
</div>
<div class="sect3">
<h4 id="_converting_your_2_x_configuration">Converting Your 2.X Configuration</h4>
<div class="paragraph"><p>If you have a working 2.X configuration snort2lua makes it easy to get up
and running with Snort 3.  This tool will convert your configuration and/or
rules files automatically.  You will want to clean up the results and
double check that it is doing exactly what you need.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort2lua -c snort.conf</code></pre>
</div></div>
<div class="paragraph"><p>The above command will generate snort.lua based on your 2.X configuration.
For more information and options for more sophisticated use cases, see the
Snort2Lua section later in the manual.</p></div>
</div>
</div>
<div class="sect2">
<h3 id="_output">Output</h3>
<div class="paragraph"><p>Snort can produce quite a lot of data.  In the following we will summarize
the key aspects of the core output types.  Additional data such as from
appid is covered later.</p></div>
<div class="sect3">
<h4 id="_basic_statistics">Basic Statistics</h4>
<div class="paragraph"><p>At shutdown, Snort will output various counts depending on configuration
and the traffic processed.  Generally, you may see:</p></div>
<div class="ulist"><ul>
<li>
<p>
Packet Statistics - this includes data from the DAQ and decoders such as
  the number of packets received and number of UDP packets.
</p>
</li>
<li>
<p>
Module Statistics - each module tracks activity via a set of peg counts
  that indicate how many times something was observed or performed.  This
  might include the number of HTTP GET requests processed and the number of
  TCP reset packets trimmed.
</p>
</li>
<li>
<p>
File Statistics - look here for a breakdown of file type, bytes,
  signatures.
</p>
</li>
<li>
<p>
Summary Statistics - this includes total runtime for packet processing
  and the packets per second.  Profiling data will appear here as well if
  configured.
</p>
</li>
</ul></div>
<div class="paragraph"><p>Note that only the non-zero counts are output.  Run this to see the
available counts:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>$ snort --help-counts</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_alerts">Alerts</h4>
<div class="paragraph"><p>If you configured rules, you will need to configure alerts to see the
details of detection events.  Use the -A option like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>$ snort -c snort.lua -r a.pcap -A cmg</code></pre>
</div></div>
<div class="paragraph"><p>There are many types of alert outputs possible.  Here is a brief list:</p></div>
<div class="ulist"><ul>
<li>
<p>
-A cmg is the same as -A fast -d -e and will show information about the
  alert along with packet headers and payload.
</p>
</li>
<li>
<p>
-A u2 is the same as -A unified2 and will log events and triggering
  packets in a binary file that you can feed to other tools for post
  processing.  Note that Snort 3 does not provide the raw packets for
  alerts on PDUs; you will get the actual buffer that alerted.
</p>
</li>
<li>
<p>
-A csv will output various fields in comma separated value format.  This
  is entirely customizable and very useful for pcap analysis.
</p>
</li>
</ul></div>
<div class="paragraph"><p>To see the available alert types, you can run this command:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>$ snort --list-plugins | grep logger</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_files_and_paths">Files and Paths</h4>
<div class="paragraph"><p>Note that output is specific to each packet thread.  If you run 4 packet
threads with u2 output, you will get 4 different u2 files.  The basic
structure is:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>&lt;logdir&gt;/[&lt;run_prefix&gt;][&lt;id#&gt;][&lt;X&gt;]&lt;name&gt;</code></pre>
</div></div>
<div class="paragraph"><p>where:</p></div>
<div class="ulist"><ul>
<li>
<p>
logdir is set with -l and defaults to ./
</p>
</li>
<li>
<p>
run_prefix is set with --run-prefix else not used
</p>
</li>
<li>
<p>
id# is the packet thread number that writes the file; with one packet
  thread, id# (zero) is omitted without --id-zero
</p>
</li>
<li>
<p>
X is / if you use --id-subdir, else _ if id# is used
</p>
</li>
<li>
<p>
name is based on module name that writes the file
</p>
</li>
</ul></div>
<div class="paragraph"><p>Additional considerations:</p></div>
<div class="ulist"><ul>
<li>
<p>
There is no way to explicitly configure a full path to avoid issues with
  multiple packet threads.
</p>
</li>
<li>
<p>
All text mode outputs default to stdout
</p>
</li>
</ul></div>
</div>
<div class="sect3">
<h4 id="_performance_statistics">Performance Statistics</h4>
<div class="paragraph"><p>Still more data is available beyond the above.</p></div>
<div class="ulist"><ul>
<li>
<p>
By configuring the perf_monitor module you can capture a configurable set
  of peg counts during runtime.  This is useful to feed to an external
  program so you can see what is happening without stopping Snort.
</p>
</li>
<li>
<p>
The profiler module allows you to track time and space used by module and
  rules.  Use this data to tune your system for best performance.  The
  output will show up under Summary Statistics at shutdown.
</p>
</li>
</ul></div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_concepts">Concepts</h2>
<div class="sectionbody">
<div class="paragraph"><p>This section provides background on essential aspects of Snort&#8217;s operation.</p></div>
<div class="sect2">
<h3 id="_terminology">Terminology</h3>
<div class="ulist"><ul>
<li>
<p>
<strong>basic module</strong>: a module integrated into Snort that does not come from a
  plugin.
</p>
</li>
<li>
<p>
<strong>binder</strong>: inspector that maps configuration to traffic
</p>
</li>
<li>
<p>
<strong>builtin rules</strong>: codec and inspector rules for anomalies detected
  internally.
</p>
</li>
<li>
<p>
<strong>codec</strong>: short for coder / decoder.  These plugins are used for basic
   protocol decoding, anomaly detection, and construction of active responses.
</p>
</li>
<li>
<p>
<strong>data module</strong>: an adjunct configuration plugin for use with certain inspectors.
</p>
</li>
<li>
<p>
<strong>dynamic rules</strong>: plugin rules loaded at runtime.  See SO rules.
</p>
</li>
<li>
<p>
<strong>fast pattern</strong>: the content in an IPS rule that must be found by the
  search engine in order for a rule to be evaluated.
</p>
</li>
<li>
<p>
<strong>fast pattern matcher</strong>: see search engine.
</p>
</li>
<li>
<p>
<strong>hex</strong>: a type of protocol magic that the wizard uses to identify binary
  protocols.
</p>
</li>
<li>
<p>
<strong>inspector</strong>: plugin that processes packets (similar to the Snort 2
  preprocessor)
</p>
</li>
<li>
<p>
<strong>IPS</strong>:  intrusion prevention system, like Snort.
</p>
</li>
<li>
<p>
<strong>IPS action</strong>: plugin that allows you to perform custom actions when
  events are generated.  Unlike loggers, these are invoked before
  thresholding and can be used to control external agents or send active
  responses.
</p>
</li>
<li>
<p>
<strong>IPS option</strong>: this plugin is the building blocks of IPS rules.
</p>
</li>
<li>
<p>
<strong>logger</strong>: a plugin that performs output of events and packets.  Events
  are thresholded before reaching loggers.
</p>
</li>
<li>
<p>
<strong>module</strong>: the user facing portion of a Snort component.  Modules chiefly
  provide configuration parameters, but may also provide commands, builtin
  rules, profiling statistics, peg counts, etc.  Note that not all modules
  are plugins and not all plugins have modules.
</p>
</li>
<li>
<p>
<strong>peg count</strong>: the number of times a given event or condition occurs.
</p>
</li>
<li>
<p>
<strong>plugin</strong>: one of several types of software components that can be loaded
  from a dynamic library when Snort starts up.  Some plugins are coupled
  with the main engine in such a way that they must be built statically,
  but a newer version can be loaded dynamically.
</p>
</li>
<li>
<p>
<strong>search engine</strong>: a plugin that performs multipattern searching of packets
  and payload to find rules that should be evaluated.  There are currently
  no specific modules, although there are several search engine plugins.
  Related configuration is done with the basic detection module.  Aka fast
  pattern matcher.
</p>
</li>
<li>
<p>
<strong>SO rule</strong>: a IPS rule plugin that performs custom detection that can&#8217;t
  be done by a text rule.  These rules typically do not have associated
  modules.  SO comes from shared object, meaning dynamic library.
</p>
</li>
<li>
<p>
<strong>spell</strong>: a type of protocol magic that the wizard uses to identify ASCII
  protocols.
</p>
</li>
<li>
<p>
<strong>text rule</strong>: a rule loaded from the configuration that has a header and
  body.  The header specifies action, protocol, source and destination IP
  addresses and ports, and direction.  The body specifies detection and
  non-detection options.
</p>
</li>
<li>
<p>
<strong>wizard</strong>: inspector that applies protocol magic to determine which
  inspectors should be bound to traffic absent a port specific binding.
  See hex and spell.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_modules">Modules</h3>
<div class="paragraph"><p>Modules are the building blocks of Snort.  They encapsulate the types of
data that many components need including parameters, peg counts, profiling,
builtin rules, and commands.  This allows Snort to handle them generically
and consistently.  You can learn quite a lot about any given module from
the command line.  For example, to see what stream_tcp is all about, do
this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>$ snort --help-config stream_tcp</code></pre>
</div></div>
<div class="paragraph"><p>Modules are configured using Lua tables with the same name.  So the
stream_tcp module is configured with defaults like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>stream_tcp = { }</code></pre>
</div></div>
<div class="paragraph"><p>The earlier help output showed that the default session tracking timeout is
30 seconds.  To change that to 60 seconds, you can configure it this way:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>stream_tcp = { session_timeout = 60 }</code></pre>
</div></div>
<div class="paragraph"><p>Or this way:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>stream_tcp = { }
stream_tcp.session_timeout = 60</code></pre>
</div></div>
<div class="paragraph"><p>More on parameters is given in the next section.</p></div>
<div class="paragraph"><p>Other things to note about modules:</p></div>
<div class="ulist"><ul>
<li>
<p>
Shutdown output will show the non-zero peg counts for all modules.  For
  example, if stream_tcp did anything, you would see the number of sessions
  processed among other things.
</p>
</li>
<li>
<p>
Providing the builtin rules allows the documentation to include them
  automatically and also allows for autogenerating the rules at startup.
</p>
</li>
<li>
<p>
Only a few module provide commands at this point, most notably the snort
  module.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_parameters">Parameters</h3>
<div class="paragraph"><p>Parameters are given with this format:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>type name = default: help { range }</code></pre>
</div></div>
<div class="paragraph"><p>The following types are used:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>addr</strong>: any valid IP4 or IP6 address or CIDR
</p>
</li>
<li>
<p>
<strong>addr_list</strong>: a space separated list of addr values
</p>
</li>
<li>
<p>
<strong>bit_list</strong>: a list of consecutive integer values from 1 to the range
  maximum
</p>
</li>
<li>
<p>
<strong>bool</strong>: true or false
</p>
</li>
<li>
<p>
<strong>dynamic</strong>: a select type determined by loaded plugins
</p>
</li>
<li>
<p>
<strong>enum</strong>: a string selected from the given range
</p>
</li>
<li>
<p>
<strong>implied</strong>: an IPS rule option that takes no value but means true
</p>
</li>
<li>
<p>
<strong>int</strong>: a whole number in the given range
</p>
</li>
<li>
<p>
<strong>interval</strong>: a set of ints (see below)
</p>
</li>
<li>
<p>
<strong>ip4</strong>: an IP4 address or CIDR
</p>
</li>
<li>
<p>
<strong>mac</strong>: an ethernet address with the form 01:02:03:04:05:06
</p>
</li>
<li>
<p>
<strong>multi</strong>: one or more space separated strings from the given range
</p>
</li>
<li>
<p>
<strong>port</strong>: an int in the range 0:65535 indicating a TCP or UDP port number
</p>
</li>
<li>
<p>
<strong>real</strong>: a real number in the given range
</p>
</li>
<li>
<p>
<strong>select</strong>: a string selected from the given range
</p>
</li>
<li>
<p>
<strong>string</strong>: any string with no more than the given length, if any
</p>
</li>
</ul></div>
<div class="paragraph"><p>The parameter name may be adorned in various ways to indicate additional
information about the type and use of the parameter:</p></div>
<div class="ulist"><ul>
<li>
<p>
For Lua configuration (not IPS rules), if the name ends with [] it is
  a list item and can be repeated.
</p>
</li>
<li>
<p>
For IPS rules only, names starting with ~ indicate positional
  parameters.  The names of such parameters do not appear in the rule.
</p>
</li>
<li>
<p>
IPS rules may also have a wild card parameter, which is indicated by a
  *.  Used for unquoted, comma-separated lists such as service and metadata.
</p>
</li>
<li>
<p>
The snort module has command line options starting with a -.
</p>
</li>
<li>
<p>
$ denotes variable names, eg rule_state.$gid_sid which would be used
  like rule_state["1:23456"] = { }.
</p>
</li>
</ul></div>
<div class="paragraph"><p>Some additional details to note:</p></div>
<div class="ulist"><ul>
<li>
<p>
Table and variable names are case sensitive; use lower case only.
</p>
</li>
<li>
<p>
String values are case sensitive too; use lower case only.
</p>
</li>
<li>
<p>
Numeric ranges may be of the form low:high where low and high are
  bounds included in the range.  If either is omitted, there is no hard
  bound. E.g. 0: means any x where x &gt;= 0.
</p>
</li>
<li>
<p>
Strings may have a numeric range indicating a length limit; otherwise
  there is no hard limit.
</p>
</li>
<li>
<p>
bit_list is typically used to store a set of byte, port, or VLAN ID
  values.
</p>
</li>
<li>
<p>
interval takes the form [operator]i, j&lt;&gt;k, or j&lt;&#8658;k where i,j,k are
  integers and operator is one of =, !, != (same as !), &lt;, &#8656;, &gt;, &gt;=.
  j&lt;&gt;k means j &lt; int &lt; k and j&lt;&#8658;k means j &#8656; int &#8656; k.
</p>
</li>
<li>
<p>
Ranges may use maxXX like { 1:max32 } since max32 is easier to read
  than 4294967295.  To get the values of maxXX, use snort --help-limits.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_plugins">Plugins</h3>
<div class="paragraph"><p>Snort uses a variety of plugins to accomplish much of its processing
objectives, including:</p></div>
<div class="ulist"><ul>
<li>
<p>
Codec - to decode and encode packets
</p>
</li>
<li>
<p>
Inspector - like Snort 2 preprocessors, for normalization, etc.
</p>
</li>
<li>
<p>
IpsOption - for detection in Snort rules
</p>
</li>
<li>
<p>
IpsAction - for custom actions
</p>
</li>
<li>
<p>
Logger - for handling events
</p>
</li>
<li>
<p>
Mpse - for fast pattern matching
</p>
</li>
<li>
<p>
So - for dynamic rules
</p>
</li>
</ul></div>
<div class="paragraph"><p>The power of plugins is that they have a very focused purpose and can be
created with relative ease.  For example, you can extend the rule language
by writing your own IpsOption and it will plug in and function just like
existing options.  The extra directory has examples of each type of plugin.</p></div>
<div class="paragraph"><p>Most plugins can be built statically or dynamically.  By default they are
all static.  There is no difference in functionality between static or
dynamic plugins but the dynamic build generates a slightly lighter weight
binary.  Either way you can add dynamic plugins with --plugin-path and
newer versions will replace older versions, even when built statically.</p></div>
<div class="paragraph"><p>A single dynamic library may contain more than one plugin.  For example, an
inspector will typically be packaged together with any associated rule
options.</p></div>
</div>
<div class="sect2">
<h3 id="_operation">Operation</h3>
<div class="paragraph"><p>Snort is a signature-based IPS, which means that as it receives network
packets it reassembles and normalizes the content so that a set of rules
can be evaluated to detect the presence of any significant conditions that
merit further action.  A rough processing flow is as follows:</p></div>
<div class="imageblock">
<div class="content">
<img src="./snort2x.png" alt="Snort 2" width="480" />
</div>
</div>
<div class="paragraph"><p>The steps are:</p></div>
<div class="olist arabic"><ol class="arabic">
<li>
<p>
Decode each packet to determine the basic network characteristics such
as source and destination addresses and ports.  A typical packet might have
ethernet containing IP containing TCP containing HTTP (ie eth:ip:tcp:http).
The various encapsulating protocols are examined for sanity and anomalies
as the packet is decoded.  This is essentially a stateless effort.
</p>
</li>
<li>
<p>
Preprocess each decoded packet using accumulated state to determine the
purpose and content of the innermost message.  This step may involve
reordering and reassembling IP fragments and TCP segments to produce the
original application protocol data unit (PDU).  Such PDUs are analyzed and
normalized as needed to support further processing.
</p>
</li>
<li>
<p>
Detection is a two step process.  For efficiency, most rules contain a
specific content pattern that can be searched for such that if no match is
found no further processing is necessary.  Upon start up, the rules are
compiled into pattern groups such that a single, parallel search can be
done for all patterns in the group.  If any match is found, the full rule
is examined according to the specifics of the signature.
</p>
</li>
<li>
<p>
The logging step is where Snort saves any pertinent information
resulting from the earlier steps.  More generally, this is where other
actions can be taken as well such as blocking the packet.
</p>
</li>
</ol></div>
<div class="sect3">
<h4 id="_snort_2_processing">Snort 2 Processing</h4>
<div class="paragraph"><p>The preprocess step in Snort 2 is highly configurable.  Arbitrary
preprocessors can be loaded dynamically at startup, configured in
snort.conf, and then executed at runtime.  Basically, the preprocessors are
put into a list which is iterated for each packet.  Recent versions have
tweaked the list handling some, but the same basic architecture has allowed
Snort 2 to grow from a sniffer, with no preprocessing, to a full-fledged
IPS, with lots of preprocessing.</p></div>
<div class="paragraph"><p>While this "list of plugins" approach has considerable flexibility, it
hampers future development when the flow of data from one preprocessor to
the next depends on traffic conditions, a common situation with advanced
features like application identification.  In this case, a preprocessor
like HTTP may be extracting and normalizing data that ultimately is not
used, or appID may be repeatedly checking for data that is just not
available.</p></div>
<div class="paragraph"><p>Callbacks help break out of the preprocess straitjacket.  This is where one
preprocessor supplies another with a function to call when certain data is
available.  Snort has started to take this approach to pass some HTTP and
SIP preprocessor data to appID.  However, it remains a peripheral feature
and still requires the production of data that may not be consumed.</p></div>
</div>
<div class="sect3">
<h4 id="_snort_3_processing">Snort 3 Processing</h4>
<div class="paragraph"><p>One of the goals of Snort 3 is to provide a more flexible framework for
packet processing by implementing an event-driven approach.  Another is to
produce data only when needed to minimize expensive normalizations.
However, the basic packet processing provides very similar functionality.</p></div>
<div class="paragraph"><p>The basic processing steps Snort 3 takes are similar to Snort 2 as seen
in the following diagram.  The preprocess step employs specific inspector
types instead of a generalized list, but the basic procedure includes
stateless packet decoding, TCP stream reassembly, and service specific
analysis in both cases.  (Snort 3 provides hooks for arbitrary inspectors,
but they are not central to basic flow processing and are not shown.)</p></div>
<div class="imageblock">
<div class="content">
<img src="./snort3x.png" alt="Snort 3" width="480" />
</div>
</div>
<div class="paragraph"><p>However, Snort 3 also provides a more flexible mechanism than callback
functions.  By using inspection events, it is possible for an inspector to
supply data that other inspectors can process.  This is known as the
observer pattern or publish-subscribe pattern.</p></div>
<div class="paragraph"><p>Note that the data is not actually published.  Instead, access to the data
is published, and that means that subscribers can access the raw or
normalized version(s) as needed.  Normalizations are done only on the first
access, and subsequent accesses get the previously normalized data.  This
results in just in time (JIT) processing.</p></div>
<div class="paragraph"><p>A basic example of this in action is provided by the extra data_log plugin.
It is a passive inspector, ie it does nothing until it receives the data it
subscribed for (<em>other</em> in the above diagram).  By adding the following to
your snort.lua configuration, you will get a simple URI logger.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>data_log = { key = 'http_raw_uri' }</code></pre>
</div></div>
<div class="paragraph"><p>Inspection events coupled with pluggable inspectors provide a very flexible
framework for implementing new features.  And JIT buffer stuffers allow
Snort to work smarter, not harder.  These capabilities will be leveraged
more and more as Snort development continues.</p></div>
</div>
</div>
<div class="sect2">
<h3 id="_rules_2">Rules</h3>
<div class="paragraph"><p>Rules tell Snort how to detect interesting conditions, such as an attack,
and what to do when the condition is detected.  Here is an example rule:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp any any -&gt; 192.168.1.1 80 ( msg:"A ha!"; content:"attack"; sid:1; )</code></pre>
</div></div>
<div class="paragraph"><p>The structure is:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>action proto source dir dest ( body )</code></pre>
</div></div>
<div class="paragraph"><p>Where:</p></div>
<div class="paragraph"><p>action - tells Snort what to do when a rule "fires", ie when the signature
matches.  In this case Snort will log the event.  It can also do thing like
block the flow when running inline.</p></div>
<div class="paragraph"><p>proto - tells Snort what protocol applies.  This may be ip, icmp, tcp, udp,
http, etc.</p></div>
<div class="paragraph"><p>source - specifies the sending IP address and port, either of which can be
the keyword any, which is a wildcard.</p></div>
<div class="paragraph"><p>dir - must be either unidirectional as above or bidirectional indicated by
&lt;&gt;.</p></div>
<div class="paragraph"><p>dest - similar to source but indicates the receiving end.</p></div>
<div class="paragraph"><p>body - detection and other information contained in parenthesis.</p></div>
<div class="paragraph"><p>There are many rule options available to construct as sophisticated a
signature as needed.  In this case we are simply looking for the "attack"
in any TCP packet.  A better rule might look like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert http
(
    msg:"Gotcha!";
    flow:established, to_server;
    http_uri:"attack";
    sid:2;
)</code></pre>
</div></div>
<div class="paragraph"><p>Note that these examples have a sid option, which indicates the signature
ID.  In general rules are specified by gid:sid:rev notation, where gid is
the generator ID and rev is the revision of the rule.  By default, text
rules are gid 1 and shared-object (SO) rules are gid 3.  The various
components within Snort that generate events have 1XX gids, for example the
decoder is gid 116.  You can list the internal gids and sids with these
commands:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>$ snort --list-gids
$ snort --list-builtin</code></pre>
</div></div>
<div class="paragraph"><p>For details on these and other options, see the reference section.</p></div>
</div>
<div class="sect2">
<h3 id="_pattern_matching">Pattern Matching</h3>
<div class="paragraph"><p>Snort evaluates rules in a two-step process which includes a fast pattern
search and full evaluation of the signature.  More details on this process
follow.</p></div>
<div class="sect3">
<h4 id="_rule_groups">Rule Groups</h4>
<div class="paragraph"><p>When Snort starts or reloads configuration, rules are grouped by protocol,
port and service.  For example, all TCP rules using the HTTP_PORTS variable
will go in one group and all service HTTP rules will go in another group.
These rule groups are compiled into multipattern search engines (MPSE)
which are designed to search for all patterns with just a single pass
through a given packet or buffer.  You can select the algorithm to use for
fast pattern searches with search_engine.search_method which defaults to
<em>ac_bnfa</em>, which balances speed and memory.  For a faster search at the
expense of significantly more memory, use <em>ac_full</em>.  For best performance
and reasonable memory, download the hyperscan source from Intel.</p></div>
</div>
<div class="sect3">
<h4 id="_fast_patterns">Fast Patterns</h4>
<div class="paragraph"><p>Fast patterns are content strings that have the fast_pattern option or
which have been selected by Snort automatically to be used as a fast
pattern.  Snort will by default choose the longest pattern in the rule
since that is likely to be most unique.  That is not always the case so add
fast_pattern to the appropriate content option for best performance.  The
ideal fast pattern is one which, if found, is very likely to result in a
rule match.  Fast patterns that match frequently for unrelated traffic will
cause Snort to work hard with little to show for it.</p></div>
<div class="paragraph"><p>Certain contents are not eligible to be used as fast patterns.
Specifically, if a content is negated, then if it is also relative to
another content, case sensitive, or has non-zero offset or depth, then it
is not eligible to be used as a fast pattern.</p></div>
</div>
<div class="sect3">
<h4 id="_rule_evaluation">Rule Evaluation</h4>
<div class="paragraph"><p>For each fast pattern match, the corresponding rule(s) are evaluated
left-to-right.  Rule evaluation requires checking each detection option in
a rule and is a fairly costly process which is why fast patterns are so
important.  Rule evaluation aborts on the first non-matching option.</p></div>
<div class="paragraph"><p>When rule evaluation takes place, the fast pattern match will automatically
be skipped if possible.  Note that this differs from Snort 2 which provided
the fast_pattern:only option to designate such cases.  This is one less
thing for the rule writer to worry about.</p></div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_tutorial">Tutorial</h2>
<div class="sectionbody">
<div class="paragraph"><p>The section will walk you through building and running Snort.  It is not
exhaustive but, once you master this material, you should be able to figure
out more advanced usage.</p></div>
<div class="sect2">
<h3 id="_dependencies">Dependencies</h3>
<div class="paragraph"><p>Required:</p></div>
<div class="ulist"><ul>
<li>
<p>
cmake to build from source
</p>
</li>
<li>
<p>
daq from <a href="https://github.com/snort3/libdaq">https://github.com/snort3/libdaq</a> for packet IO
</p>
</li>
<li>
<p>
g++ &gt;= 4.8 or other recent C++11 compiler
</p>
</li>
<li>
<p>
dnet from <a href="https://github.com/dugsong/libdnet.git">https://github.com/dugsong/libdnet.git</a> for network utility
  functions
</p>
</li>
<li>
<p>
hwloc from <a href="https://www.open-mpi.org/projects/hwloc/">https://www.open-mpi.org/projects/hwloc/</a> for CPU affinity management
</p>
</li>
<li>
<p>
LuaJIT from <a href="http://luajit.org">http://luajit.org</a> for configuration and scripting
</p>
</li>
<li>
<p>
OpenSSL from <a href="https://www.openssl.org/source/">https://www.openssl.org/source/</a> for SHA and MD5 file signatures,
  the protected_content rule option, and SSL service detection
</p>
</li>
<li>
<p>
pcap from <a href="http://www.tcpdump.org">http://www.tcpdump.org</a> for tcpdump style logging
</p>
</li>
<li>
<p>
pcre from <a href="http://www.pcre.org">http://www.pcre.org</a> for regular expression pattern matching
</p>
</li>
<li>
<p>
pkgconfig from <a href="https://www.freedesktop.org/wiki/Software/pkg-config/">https://www.freedesktop.org/wiki/Software/pkg-config/</a> to locate build dependencies
</p>
</li>
<li>
<p>
zlib from <a href="http://www.zlib.net">http://www.zlib.net</a> for decompression (&gt;= 1.2.8 recommended)
</p>
</li>
</ul></div>
<div class="paragraph"><p>Optional:</p></div>
<div class="ulist"><ul>
<li>
<p>
asciidoc from <a href="http://www.methods.co.nz/asciidoc/">http://www.methods.co.nz/asciidoc/</a> to build the HTML
  manual
</p>
</li>
<li>
<p>
cpputest from <a href="http://cpputest.github.io">http://cpputest.github.io</a> to run additional unit tests with
  make check
</p>
</li>
<li>
<p>
dblatex from <a href="http://dblatex.sourceforge.net">http://dblatex.sourceforge.net</a> to build the pdf manual (in
  addition to asciidoc)
</p>
</li>
<li>
<p>
flatbuffers from <a href="https://google.github.io/flatbuffers/">https://google.github.io/flatbuffers/</a> for enabling the
  flatbuffers serialization format
</p>
</li>
<li>
<p>
hyperscan &gt;= 4.4.0 from <a href="https://github.com/01org/hyperscan">https://github.com/01org/hyperscan</a> to build new
  the regex and sd_pattern rule options and hyperscan search engine.
  Hyperscan is large so it recommended to follow their instructions for
  building it as a shared library.
</p>
</li>
<li>
<p>
iconv from <a href="https://ftp.gnu.org/pub/gnu/libiconv/">https://ftp.gnu.org/pub/gnu/libiconv/</a> for converting
  UTF16-LE filenames to UTF8 (usually included in glibc)
</p>
</li>
<li>
<p>
lzma &gt;= 5.1.2 from <a href="http://tukaani.org/xz/">http://tukaani.org/xz/</a> for decompression of SWF and
  PDF files
</p>
</li>
<li>
<p>
safec &gt;= 3.5 from <a href="https://github.com/rurban/safeclib/">https://github.com/rurban/safeclib/</a> for runtime bounds
  checks on certain legacy C-library calls
</p>
</li>
<li>
<p>
source-highlight from <a href="http://www.gnu.org/software/src-highlite/">http://www.gnu.org/software/src-highlite/</a> to
  generate the dev guide
</p>
</li>
<li>
<p>
w3m from <a href="http://sourceforge.net/projects/w3m/">http://sourceforge.net/projects/w3m/</a> to build the plain text
  manual
</p>
</li>
<li>
<p>
uuid from uuid-dev package for unique identifiers
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_building">Building</h3>
<div class="ulist"><ul>
<li>
<p>
Optionally built features are listed in the reference section.
</p>
</li>
<li>
<p>
Create an install path:
</p>
<div class="literalblock">
<div class="content">
<pre><code>export my_path=/path/to/snorty
mkdir -p $my_path</code></pre>
</div></div>
</li>
<li>
<p>
If LibDAQ was installed to a custom, non-system path:
</p>
<div class="literalblock">
<div class="content">
<pre><code>export PKG_CONFIG_PATH=/libdaq/install/path/lib/pkgconfig:$PKG_CONFIG_PATH</code></pre>
</div></div>
</li>
<li>
<p>
Now do one of the following:
</p>
<div class="olist loweralpha"><ol class="loweralpha">
<li>
<p>
To build with cmake and make, run configure_cmake.sh.  It will
   automatically create and populate a new subdirectory named <em>build</em>.
</p>
<div class="literalblock">
<div class="content">
<pre><code>./configure_cmake.sh --prefix=$my_path
cd build
make -j
make install
ln -s $my_path/conf $my_path/etc</code></pre>
</div></div>
</li>
<li>
<p>
You can also specify a cmake project generator:
</p>
<div class="literalblock">
<div class="content">
<pre><code>./configure_cmake.sh --generator=Xcode --prefix=$my_path</code></pre>
</div></div>
</li>
<li>
<p>
Or use ccmake directly to configure and generate from an arbitrary build
   directory like one of these:
</p>
<div class="literalblock">
<div class="content">
<pre><code>ccmake -G Xcode /path/to/Snort++/tree
open snort.xcodeproj</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>ccmake -G "Eclipse CDT4 - Unix Makefiles" /path/to/Snort++/tree
run eclipse and do File &gt; Import &gt; Existing Eclipse Project</code></pre>
</div></div>
</li>
</ol></div>
</li>
<li>
<p>
To build with g++ on OS X where clang is installed, do this first:
</p>
<div class="literalblock">
<div class="content">
<pre><code>export CXX=g++</code></pre>
</div></div>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_running">Running</h3>
<div class="paragraph"><p>Examples:</p></div>
<div class="ulist"><ul>
<li>
<p>
Get some help:
</p>
<div class="literalblock">
<div class="content">
<pre><code>$my_path/bin/snort --help
$my_path/bin/snort --help-module suppress
$my_path/bin/snort --help-config | grep thread</code></pre>
</div></div>
</li>
<li>
<p>
Examine and dump a pcap:
</p>
<div class="literalblock">
<div class="content">
<pre><code>$my_path/bin/snort -r &lt;pcap&gt;
$my_path/bin/snort -L dump -d -e -q -r &lt;pcap&gt;</code></pre>
</div></div>
</li>
<li>
<p>
Verify config, with or w/o rules:
</p>
<div class="literalblock">
<div class="content">
<pre><code>$my_path/bin/snort -c $my_path/etc/snort/snort.lua
$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules</code></pre>
</div></div>
</li>
<li>
<p>
Run IDS mode.  To keep it brief, look at the first n packets in each file:
</p>
<div class="literalblock">
<div class="content">
<pre><code>$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
    -r &lt;pcap&gt; -A alert_test -n 100000</code></pre>
</div></div>
</li>
<li>
<p>
Let&#8217;s suppress 1:2123.  We could edit the conf or just do this:
</p>
<div class="literalblock">
<div class="content">
<pre><code>$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
    -r &lt;pcap&gt; -A alert_test -n 100000 --lua "suppress = { { gid = 1, sid = 2123 } }"</code></pre>
</div></div>
</li>
<li>
<p>
Go whole hog on a directory with multiple packet threads:
</p>
<div class="literalblock">
<div class="content">
<pre><code>$my_path/bin/snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
    --pcap-filter \*.pcap --pcap-dir &lt;dir&gt; -A alert_fast -n 1000 --max-packet-threads 8</code></pre>
</div></div>
</li>
</ul></div>
<div class="paragraph"><p>For more examples, see the usage section.</p></div>
</div>
<div class="sect2">
<h3 id="_tips">Tips</h3>
<div class="paragraph"><p>One of the goals of Snort 3 is to make it easier to configure your sensor.
Here is a summary of tips and tricks you may find useful.</p></div>
<div class="paragraph"><p>General Use</p></div>
<div class="ulist"><ul>
<li>
<p>
Snort tries hard not to error out too quickly.  It will report multiple
  semantic errors.
</p>
</li>
<li>
<p>
Snort always assumes the simplest mode of operation.  Eg, you can omit the -T
  option to validate the conf if you don&#8217;t provide a packet source.
</p>
</li>
<li>
<p>
Warnings are not emitted unless --warn-* is specified.  --warn-all enables all
  warnings, and --pedantic makes such warnings fatal.
</p>
</li>
<li>
<p>
You can process multiple sources at one time by using the -z or --max-threads
  option.
</p>
</li>
<li>
<p>
To make it easy to find the important data, zero counts are not output at
  shutdown.
</p>
</li>
<li>
<p>
Load plugins from the command line with --plugin-path /path/to/install/lib.
</p>
</li>
<li>
<p>
You can process multiple sources at one time by using the -z or
  --max-threads option.
</p>
</li>
<li>
<p>
Unit tests are configured with --enable-unit-tests.  They can then be run
  with snort --catch-test [tags]|all.
</p>
</li>
</ul></div>
<div class="paragraph"><p>Lua Configuration</p></div>
<div class="ulist"><ul>
<li>
<p>
Configure the wizard and default bindings will be created based on configured
  inspectors.  No need to explicitly bind ports in this case.
</p>
</li>
<li>
<p>
You can override or add to your Lua conf with the --lua command line option.
</p>
</li>
<li>
<p>
The Lua conf is a live script that is executed when loaded.  You can add
  functions, grab environment variables, compute values, etc.
</p>
</li>
<li>
<p>
You can also rename symbols that you want to disable.  For example,
  changing normalizer to  Xnormalizer (an unknown symbol) will disable the
  normalizer.  This can be easier than commenting in some cases.
</p>
</li>
<li>
<p>
By default, symbols unknown to Snort are silently ignored.  You can
  generate warnings for them  with --warn-unknown.  To ignore such symbols,
  export them in the environment variable SNORT_IGNORE.
</p>
</li>
</ul></div>
<div class="paragraph"><p>Writing and Loading Rules</p></div>
<div class="paragraph"><p>Snort rules allow arbitrary whitespace.  Multi-line rules make it easier to
structure your rule  for clarity.  There are multiple ways to add comments to
your rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
The # character starts a comment to end of line.  In addition, all lines
  between #begin and #end are comments.
</p>
</li>
<li>
<p>
The rem option allows you to write a comment that is conveyed with the rule.
</p>
</li>
<li>
<p>
C style multi-line comments are allowed, which means you can comment out
  portions of a rule while  testing it out by putting the options between /* and
  */.
</p>
</li>
</ul></div>
<div class="paragraph"><p>There are multiple ways to load rules too:</p></div>
<div class="ulist"><ul>
<li>
<p>
Set ips.rules or ips.include.
</p>
</li>
<li>
<p>
include statements can be used in rules files.
</p>
</li>
<li>
<p>
Use -R to load a rules file.
</p>
</li>
<li>
<p>
Use --stdin-rules with command line redirection.
</p>
</li>
<li>
<p>
Use --lua to specify one or more rules as a command line argument.
</p>
</li>
</ul></div>
<div class="paragraph"><p>Output Files</p></div>
<div class="paragraph"><p>To make it simple to configure outputs when you run with multiple packet
threads, output files are not explicitly configured.  Instead, you can use the
options below to format the paths:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>&lt;logdir&gt;/[&lt;run_prefix&gt;][&lt;id#&gt;][&lt;X&gt;]&lt;name&gt;</code></pre>
</div></div>
<div class="ulist"><ul>
<li>
<p>
logdir is set with -l and defaults to ./
</p>
</li>
<li>
<p>
run_prefix is set with --run-prefix else not used
</p>
</li>
<li>
<p>
id# is the packet thread number that writes the file; with one packet thread,
  id# (zero) is omitted without --id-zero
</p>
</li>
<li>
<p>
X is / if you use --id-subdir, else _ if id# is used
</p>
</li>
<li>
<p>
name is based on module name that writes the file
</p>
</li>
<li>
<p>
all text mode outputs default to stdout
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_help">Help</h3>
<div class="listingblock">
<div class="content">
<pre><code>Snort has several options to get more help:

-? list command line options (same as --help)
--help this overview of help
--help-commands [&lt;module prefix&gt;] output matching commands
--help-config [&lt;module prefix&gt;] output matching config options
--help-counts [&lt;module prefix&gt;] output matching peg counts
--help-limits print the int upper bounds denoted by max*
--help-module &lt;module&gt; output description of given module
--help-modules list all available modules with brief help
--help-plugins list all available plugins with brief help
--help-options [&lt;option prefix&gt;] output matching command line options
--help-signals dump available control signals
--list-buffers output available inspection buffers
--list-builtin [&lt;module prefix&gt;] output matching builtin rules
--list-gids [&lt;module prefix&gt;] output matching generators
--list-modules [&lt;module type&gt;] list all known modules
--list-plugins list all known modules
--show-plugins list module and plugin versions

--help* and --list* options preempt other processing so should be last on the
command line since any following options are ignored.  To ensure options like
--markup and --plugin-path take effect, place them ahead of the help or list
options.

Options that filter output based on a matching prefix, such as --help-config
won't output anything if there is no match.  If no prefix is given, everything
matches.

Report bugs to bugs@snort.org.</code></pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_common_errors">Common Errors</h3>
<div class="paragraph"><p><em>PANIC: unprotected error in call to Lua API (cannot open
snort_defaults.lua: No such file or directory)</em></p></div>
<div class="ulist"><ul>
<li>
<p>
export SNORT_LUA_PATH to point to any dofiles
</p>
</li>
</ul></div>
<div class="paragraph"><p><em>ERROR can&#8217;t find xyz</em></p></div>
<div class="ulist"><ul>
<li>
<p>
if xyz is the name of a module, make sure you are not assigning a scalar
  where a table is required (e.g. xyz = 2 should be xyz = { }).
</p>
</li>
</ul></div>
<div class="paragraph"><p><em>ERROR can&#8217;t find x.y</em></p></div>
<div class="ulist"><ul>
<li>
<p>
module x does not have a parameter named y.  check --help-module x for
  available parameters.
</p>
</li>
</ul></div>
<div class="paragraph"><p><em>ERROR invalid x.y = z</em></p></div>
<div class="ulist"><ul>
<li>
<p>
the value z is out of range for x.y.  check --help-config x.y for the range
  allowed.
</p>
</li>
</ul></div>
<div class="paragraph"><p><em>ERROR: x = { y = z } is in conf but is not being applied</em></p></div>
<div class="ulist"><ul>
<li>
<p>
make sure that x = { } isn&#8217;t set later because it will override the
  earlier setting.  same for x.y.
</p>
</li>
</ul></div>
<div class="paragraph"><p><em>FATAL: can&#8217;t load lua/errors.lua: lua/errors.lua:68: <em>=</em> expected near
';'</em></p></div>
<div class="ulist"><ul>
<li>
<p>
this is a syntax error reported by Lua to Snort on line 68 of errors.lua.
</p>
</li>
</ul></div>
<div class="paragraph"><p><em>ERROR: rules(2) unknown rule keyword: find.</em></p></div>
<div class="ulist"><ul>
<li>
<p>
this was due to not including the --script-path.
</p>
</li>
</ul></div>
<div class="paragraph"><p><em>WARNING: unknown symbol x</em></p></div>
<div class="ulist"><ul>
<li>
<p>
if you any variables, you can squelch such warnings by setting them in
  an environment variable SNORT_IGNORE.  to ignore x, y, and z:
</p>
<div class="literalblock">
<div class="content">
<pre><code>export SNORT_IGNORE="x y z"</code></pre>
</div></div>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_gotchas">Gotchas</h3>
<div class="ulist"><ul>
<li>
<p>
A nil key in a table will not be caught.  Neither will a nil value in a
  table.  Neither of the following will cause errors, nor will they
  actually set http_inspect.request_depth:
</p>
<div class="literalblock">
<div class="content">
<pre><code>http_inspect = { request_depth }
http_inspect = { request_depth = undefined_symbol }</code></pre>
</div></div>
</li>
<li>
<p>
It is not an error to set a value multiple times.  The actual value
  applied may not be the last in the table either.  It is best to avoid
  such cases.
</p>
<div class="literalblock">
<div class="content">
<pre><code>http_inspect =
{
    request_depth = 1234,
    request_depth = 4321
}</code></pre>
</div></div>
</li>
<li>
<p>
Snort can&#8217;t tell you the exact filename or line number of a semantic
  error but it will tell you the fully qualified name.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_known_issues">Known Issues</h3>
<div class="ulist"><ul>
<li>
<p>
The dump DAQ will not work with multiple threads unless you use --daq-var
  output=none.  This will be fixed at some point to use the Snort log
  directory, etc.
</p>
</li>
<li>
<p>
If you build with hyperscan on OS X and see:
</p>
<div class="literalblock">
<div class="content">
<pre><code>dyld: Library not loaded: @rpath/libhs.4.0.dylib</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>when you try to run src/snort, export DYLD_LIBRARY_PATH with the path to
libhs.  You can also do:</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>install_name_tool -change @rpath/libhs.4.0.dylib \
    /path-to/libhs.4.0.dylib src/snort</code></pre>
</div></div>
</li>
<li>
<p>
Snort built with tcmalloc support (--enable-tcmalloc) on Ubuntu 17.04/18.04
  crashes immediately.
</p>
<div class="literalblock">
<div class="content">
<pre><code>Workaround:
Uninstall gperftools 2.5 provided by the distribution and install gperftools
2.7 before building Snort.</code></pre>
</div></div>
</li>
</ul></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_usage">Usage</h2>
<div class="sectionbody">
<div class="paragraph"><p>For the following examples "$my_path" is assumed to be the path to the
Snort install directory. Additionally, it is assumed that "$my_path/bin"
is in your PATH.</p></div>
<div class="sect2">
<h3 id="_help_2">Help</h3>
<div class="paragraph"><p>Print the help summary:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --help</code></pre>
</div></div>
<div class="paragraph"><p>Get help on a specific module ("stream", for example):</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --help-module stream</code></pre>
</div></div>
<div class="paragraph"><p>Get help on the "-A" command line option:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --help-options A</code></pre>
</div></div>
<div class="paragraph"><p>Grep for help on threads:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --help-config | grep thread</code></pre>
</div></div>
<div class="paragraph"><p>Output help on "rule" options in AsciiDoc format:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --markup --help-options rule</code></pre>
</div></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/note.png" alt="Note" />
</td>
<td class="content">Snort stops reading command-line options after the "--help-<strong>" and
"--list-</strong>" options, so any other options should be placed before them.</td>
</tr></table>
</div>
</div>
<div class="sect2">
<h3 id="_sniffing_and_logging">Sniffing and Logging</h3>
<div class="paragraph"><p>Read a pcap:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -r /path/to/my.pcap</code></pre>
</div></div>
<div class="paragraph"><p>Dump the packets to stdout:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -r /path/to/my.pcap -L dump</code></pre>
</div></div>
<div class="paragraph"><p>Dump packets with application data and layer 2 headers</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -r /path/to/my.pcap -L dump -d -e</code></pre>
</div></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/note.png" alt="Note" />
</td>
<td class="content">Command line options must be specified separately. "snort -de" won&#8217;t
work.  You can still concatenate options and their arguments, however, so
"snort -Ldump" will work.</td>
</tr></table>
</div>
<div class="paragraph"><p>Dump packets from all pcaps in a directory:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -d -e</code></pre>
</div></div>
<div class="paragraph"><p>Log packets to a directory:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -l /path/to/log/dir</code></pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_configuration_2">Configuration</h3>
<div class="paragraph"><p>Validate a configuration file:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua</code></pre>
</div></div>
<div class="paragraph"><p>Validate a configuration file and a separate rules file:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules</code></pre>
</div></div>
<div class="paragraph"><p>Read rules from stdin and validate:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua --stdin-rules &lt; $my_path/etc/snort/sample.rules</code></pre>
</div></div>
<div class="paragraph"><p>Enable warnings for Lua configurations and make warnings fatal:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua --warn-all --pedantic</code></pre>
</div></div>
<div class="paragraph"><p>Tell Snort where to look for additional Lua scripts:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --script-path /path/to/script/dir</code></pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_ids_mode">IDS mode</h3>
<div class="paragraph"><p>Run Snort in IDS mode, reading packets from a pcap:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap</code></pre>
</div></div>
<div class="paragraph"><p>Log any generated alerts to the console using the "-A" option:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A alert_full</code></pre>
</div></div>
<div class="paragraph"><p>Capture separate stdout, stderr, and stdlog files (out has startup and
shutdown output, err has warnings and errors, and log has alerts):</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A csv \
    1&gt;out 2&gt;err 3&gt;log</code></pre>
</div></div>
<div class="paragraph"><p>Add or modify a configuration from the command line using the "--lua" option:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A cmg \
    --lua 'ips = { enable_builtin_rules = true }'</code></pre>
</div></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/note.png" alt="Note" />
</td>
<td class="content">The "--lua" option can be specified multiple times.</td>
</tr></table>
</div>
<div class="paragraph"><p>Run Snort in IDS mode on an entire directory of pcaps, processing each
input source on a separate thread:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
    --pcap-filter '*.pcap' --max-packet-threads 8</code></pre>
</div></div>
<div class="paragraph"><p>Run Snort on 2 interfaces, eth0 and eth1:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -i "eth0 eth1" -z 2 -A cmg</code></pre>
</div></div>
<div class="paragraph"><p>Run Snort inline with the afpacket DAQ:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua --daq afpacket -i "eth0:eth1" \
    -A cmg</code></pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_plugins_2">Plugins</h3>
<div class="paragraph"><p>Load external plugins and use the "ex" alert:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua \
    --plugin-path $my_path/lib/snort_extra \
    -A alert_ex -r /path/to/my.pcap</code></pre>
</div></div>
<div class="paragraph"><p>Test the LuaJIT rule option <em>find</em> loaded from stdin:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua \
    --script-path $my_path/lib/snort_extra \
    --stdin-rules -A cmg -r /path/to/my.pcap &lt;&lt; END
alert tcp any any -&gt; any 80 (
    sid:3; msg:"found"; content:"GET";
    find:"pat='HTTP/1%.%d'" ; )
END</code></pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_output_files">Output Files</h3>
<div class="paragraph"><p>To make it simple to configure outputs when you run with multiple packet
threads, output files are not explicitly configured. Instead, you can use
the options below to format the paths:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>&lt;logdir&gt;/[&lt;run_prefix&gt;][&lt;id#&gt;][&lt;X&gt;]&lt;name&gt;</code></pre>
</div></div>
<div class="paragraph"><p>Log to unified in the current directory:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2</code></pre>
</div></div>
<div class="paragraph"><p>Log to unified in the current directory with a different prefix:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 \
    --run-prefix take2</code></pre>
</div></div>
<div class="paragraph"><p>Log to unified in /tmp:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 -l /tmp</code></pre>
</div></div>
<div class="paragraph"><p>Run 4 packet threads and log with thread number prefix (0-3):</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
    --pcap-filter '*.pcap' -z 4 -A unified2</code></pre>
</div></div>
<div class="paragraph"><p>Run 4 packet threads and log in thread number subdirs (0-3):</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
    --pcap-filter '*.pcap' -z 4 -A unified2 --id-subdir</code></pre>
</div></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/note.png" alt="Note" />
</td>
<td class="content">subdirectories are created automatically if required.  Log filename
is based on module name that writes the file.  All text mode outputs
default to stdout.  These options can be combined.</td>
</tr></table>
</div>
</div>
<div class="sect2">
<h3 id="_daq_alternatives">DAQ Alternatives</h3>
<div class="paragraph"><p>Process hext packets from stdin:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua \
    --daq-dir $my_path/lib/snort/daqs --daq hext -i tty &lt;&lt; END
$packet 10.1.2.3 48620 -&gt; 10.9.8.7 80
"GET / HTTP/1.1\r\n"
"Host: localhost\r\n"
"\r\n"
END</code></pre>
</div></div>
<div class="paragraph"><p>Process raw ethernet from hext file:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua \
    --daq-dir $my_path/lib/snort/daqs --daq hext \
    --daq-var dlt=1 -r &lt;hext-file&gt;</code></pre>
</div></div>
<div class="paragraph"><p>Process a directory of plain files (ie non-pcap) with 4 threads with 8K
buffers:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua \
    --daq-dir $my_path/lib/snort/daqs --daq file \
    --pcap-dir path/to/files -z 4 -s 8192</code></pre>
</div></div>
<div class="paragraph"><p>Bridge two TCP connections on port 8000 and inspect the traffic:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua \
    --daq-dir $my_path/lib/snort/daqs --daq socket</code></pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_logger_alternatives">Logger Alternatives</h3>
<div class="paragraph"><p>Dump TCP stream payload in hext mode:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -L hext</code></pre>
</div></div>
<div class="paragraph"><p>Output timestamp, pkt_num, proto, pkt_gen, dgm_len, dir, src_ap, dst_ap,
rule, action for each alert:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua -A csv</code></pre>
</div></div>
<div class="paragraph"><p>Output the old test format alerts:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort -c $my_path/etc/snort/snort.lua \
    --lua "alert_csv = { fields = 'pkt_num gid sid rev', separator = '\t' }"</code></pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_shell">Shell</h3>
<div class="paragraph"><p>You must build with --enable-shell to make the command line shell available.</p></div>
<div class="paragraph"><p>Enable shell mode:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --shell &lt;args&gt;</code></pre>
</div></div>
<div class="paragraph"><p>You will see the shell mode command prompt, which looks like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>o")~</code></pre>
</div></div>
<div class="paragraph"><p>(The prompt can be changed with the SNORT_PROMPT environment variable.)</p></div>
<div class="paragraph"><p>You can pause immediately after loading the configuration and again before
exiting with:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --shell --pause &lt;args&gt;</code></pre>
</div></div>
<div class="paragraph"><p>In that case you must issue the resume() command to continue.  Enter quit()
to terminate Snort or detach() to exit the shell.  You can list the
available commands with help().</p></div>
<div class="paragraph"><p>To enable local telnet access on port 12345:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --shell -j 12345 &lt;args&gt;</code></pre>
</div></div>
<div class="paragraph"><p>The command line interface is still under development.  Suggestions are
welcome.</p></div>
</div>
<div class="sect2">
<h3 id="_signals">Signals</h3>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/note.png" alt="Note" />
</td>
<td class="content">The following examples assume that Snort is currently running and has
a process ID of &lt;pid&gt;.</td>
</tr></table>
</div>
<div class="paragraph"><p>Modify and Reload Configuration:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>echo 'suppress = { { gid = 1, sid = 2215 } }' &gt;&gt; $my_path/etc/snort/snort.lua
kill -hup &lt;pid&gt;</code></pre>
</div></div>
<div class="paragraph"><p>Dump stats to stdout:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>kill -usr1 &lt;pid&gt;</code></pre>
</div></div>
<div class="paragraph"><p>Shutdown normally:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>kill -term &lt;pid&gt;</code></pre>
</div></div>
<div class="paragraph"><p>Exit without flushing packets:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>kill -quit &lt;pid&gt;</code></pre>
</div></div>
<div class="paragraph"><p>List available signals:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --help-signals</code></pre>
</div></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/note.png" alt="Note" />
</td>
<td class="content">The available signals may vary from platform to platform.</td>
</tr></table>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_features">Features</h2>
<div class="sectionbody">
<div class="paragraph"><p>This section explains how to use key features of Snort.</p></div>
<div class="sect2">
<h3 id="_active_response">Active Response</h3>
<div class="paragraph"><p>Snort can take more active role in securing network by sending active
responses to shutdown offending sessions. When active responses is
enabled, snort will send TCP RST or ICMP unreachable when dropping a
session.</p></div>
<div class="sect3">
<h4 id="_changes_from_snort_2_9">Changes from Snort 2.9</h4>
<div class="ulist"><ul>
<li>
<p>
stream5_global:max_active_responses and min_response_seconds are now
active.max_responses and active.min_interval.
</p>
</li>
<li>
<p>
Response actions were removed from IPS rule body to the rule action
in the header.  This includes react, reject, and rewrite (split out of
replace which now just does the detection part). These IPS actions are
plugins.
</p>
</li>
<li>
<p>
drop and block are synonymous in Snort 2.9 but in Snort 3.0 drop means
don&#8217;t forward the current packet only whereas block means don&#8217;t forward
this or any following packet on the flow.
</p>
</li>
</ul></div>
</div>
<div class="sect3">
<h4 id="_configure_active">Configure Active</h4>
<div class="paragraph"><p>Active response is enabled by configuring one of following IPS action
plugins:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>react = { }
reject = { }
rewrite = { }</code></pre>
</div></div>
<div class="paragraph"><p>Active responses will be performed for reject, react or rewrite IPS rule
actions, and response packets are encoded based on the triggering packet.
TTL will be set to the value captured at session pickup.</p></div>
<div class="paragraph"><p>Configure the number of attempts to land a TCP RST within the session&#8217;s
current window (so that it is accepted by the receiving TCP).  This
sequence "strafing" is really only useful in passive mode.  In inline mode
the reset is put straight into the stream in lieu of the triggering packet
so strafing is not necessary.</p></div>
<div class="paragraph"><p>Each attempt (sent in rapid succession) has a different sequence number.
Each active response will actually cause this number of TCP resets to be
sent. TCP data is multiplied similarly. At most 1 ICMP unreachable is sent,
iff attempts &gt; 0.</p></div>
<div class="paragraph"><p>Device IP will perform network layer injection.  It is probably a better
choice to specify an interface and avoid kernel routing tables, etc.</p></div>
<div class="paragraph"><p>dst_mac will change response destination MAC address, if the device is
eth0, eth1, eth2 etc. Otherwise, response destination MAC address is
derived from packet.</p></div>
<div class="paragraph"><p>Example:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>active =
{
    attempts = 2,
    device = "eth0",
    dst_mac = "00:06:76:DD:5F:E3",
}</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_reject">Reject</h4>
<div class="paragraph"><p>IPS action reject perform active response to shutdown hostile network
session by injecting TCP resets (TCP connections) or ICMP unreachable
packets.</p></div>
<div class="paragraph"><p>Example:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>reject = { reset = "both", control = "all" }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>local_rules =
[[
reject tcp ( msg:"hostile connection"; flow:established, to_server;
content:"HACK!"; sid:1; )
]]</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>ips =
{
    rules = local_rules,
}</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_react">React</h4>
<div class="paragraph"><p>IPS action react enables sending an HTML page on a session and then
resetting it.</p></div>
<div class="paragraph"><p>The page to be sent can be read from a file:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>react = { page = "customized_block_page.html", }</code></pre>
</div></div>
<div class="paragraph"><p>or else the default is used:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>&lt;default_page&gt; ::= \
    "HTTP/1.1 403 Forbidden\r\n"
    "Connection: close\r\n"
    "Content-Type: text/html; charset=utf-8\r\n"
    "\r\n"
    "&lt;!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1//EN\"\r\n" \
    "    \"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd\"&gt;\r\n" \
    "&lt;html xmlns=\"http://www.w3.org/1999/xhtml\"
    xml:lang=\"en\"&gt;\r\n" \
    "&lt;head&gt;\r\n" \
    "&lt;meta http-equiv=\"Content-Type\" content=\"text/html;
    charset=UTF-8\" /&gt;\r\n" \
    "&lt;title&gt;Access Denied&lt;/title&gt;\r\n" \
    "&lt;/head&gt;\r\n" \
    "&lt;body&gt;\r\n" \
    "&lt;h1&gt;Access Denied&lt;/h1&gt;\r\n" \
    "&lt;p&gt;%s&lt;/p&gt;\r\n" \
    "&lt;/body&gt;\r\n" \
    "&lt;/html&gt;\r\n";</code></pre>
</div></div>
<div class="paragraph"><p>Note that the file must contain the entire response, including any HTTP
headers. In fact, the response isn&#8217;t strictly limited to HTTP.  You could
craft a binary payload of arbitrary content.</p></div>
<div class="paragraph"><p>When the rule is configured, the page is loaded and the %s is replaced
with the selected message, which defaults to:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>"You are attempting to access a forbidden site.&lt;br /&gt;" \
"Consult your system administrator for details."</code></pre>
</div></div>
<div class="paragraph"><p>Additional formatting operators beyond a single %s are prohibited,
including %d, %x, %s, as well as any URL encodings such as as %20 (space)
that may be within a reference URL.</p></div>
<div class="paragraph"><p>Example:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>react = { page = "my_block_page.html" }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>local_rules =
[[
react http ( msg:"Unauthorized Access Prohibited!"; flow:established,
to_server; http_method; content:"GET"; sid:1; )
]]</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>ips =
{
    rules = local_rules,
}</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_rewrite">Rewrite</h4>
<div class="paragraph"><p>IPS action rewrite enables overwrite packet contents based on "replace"
option in the rules.</p></div>
<div class="paragraph"><p>For example:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>rewrite = { }
local_rules =
[[
rewrite tcp 10.1.1.87 any -&gt; 10.1.1.0/24 80
(
    sid:1000002;
    msg:"test replace rule";
    content:"index.php", nocase;
    replace:"indax.php";
)
]]</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>ips =
{
    rules = local_rules,
}</code></pre>
</div></div>
<div class="paragraph"><p>this rule replaces "index.php" with "indax.php", and rewrite action
updates that packet.</p></div>
<div class="paragraph"><p>to enable rewrite action:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>rewrite = { }</code></pre>
</div></div>
<div class="paragraph"><p>the replace operation can be disabled by changing the configuration:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>rewrite = { disable_replace = true }</code></pre>
</div></div>
</div>
</div>
<div class="sect2">
<h3 id="_appid">AppId</h3>
<div class="paragraph"><p>Network administrators need application awareness in order to fine tune
their management of the ever-growing number of applications passing traffic
over the network. Application awareness allows an administrator to create
rules for applications as needed by the business. The rules can be used to
take action based on the application, such as block, allow or alert.</p></div>
<div class="sect3">
<h4 id="_overview_2">Overview</h4>
<div class="paragraph"><p>The AppId inspector provides an application level view when managing
networks by providing the following features:</p></div>
<div class="ulist"><ul>
<li>
<p>
Network control: The inspector works with Snort rules by providing a set of
  application identifiers (AppIds) to Snort rule writers.
</p>
</li>
<li>
<p>
Application usage awareness: The inspector outputs statistics to show
  how many times applications are being used on the network.
</p>
</li>
<li>
<p>
Custom applications: Administrators can create their own application
  detectors to detect new applications. The detectors are written in Lua
  and interface with Snort using a well-defined C-Lua API.
</p>
</li>
<li>
<p>
Open Detector Package (ODP): A set of pre-defined application detectors are
  provided by the Snort team and can be downloaded from snort.org.
</p>
</li>
</ul></div>
</div>
<div class="sect3">
<h4 id="_dependency_requirements">Dependency Requirements</h4>
<div class="paragraph"><p>For proper functioning of the AppId inspector, at a minimum stream flow
tracking must be enabled. In addition, to identify TCP-based or UDP-based
applications then the appropriate stream inspector must be enabled, e.g.
stream_tcp or stream_udp.</p></div>
<div class="paragraph"><p>In addition, in order to identify HTTP-based applications, the HTTP
inspector must be enabled. Otherwise, only non-HTTP applications will be
identified.</p></div>
<div class="paragraph"><p>AppId subscribes to the inspection events published by other inspectors,
such as the HTTP and SSL inspectors, to gain access to the data needed. It
uses that data to help determine the application ID.</p></div>
</div>
<div class="sect3">
<h4 id="_configuration_3">Configuration</h4>
<div class="paragraph"><p>The AppId feature can be enabled via configuration. To enable it with the
default settings use:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>appid = { }</code></pre>
</div></div>
<div class="paragraph"><p>To use an AppId as a matching parameter in an IPS rule, use the <em>appids</em>
keyword.  For example, to block HTTP traffic that contains a specific header:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>block tcp any any -&gt; 192.168.0.1 any ( msg:"Block Malicious HTTP header";
  appids:"HTTP"; content:"X-Header: malicious"; sid:18000; )</code></pre>
</div></div>
<div class="paragraph"><p>Alternatively, the HTTP application can be specified in place of <em>tcp</em> instead
of using the <em>appids</em> keyword. The AppId inspector will set the service when
it is discovered so it can be used in IPS rules like this. Note that this rule
also does not specify the IPs or ports which default to <em>any</em>.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>block http ( msg:"Block Malicious HTTP header";
  content:"X-Header: malicious"; sid:18000; )</code></pre>
</div></div>
<div class="paragraph"><p>It&#8217;s possible to specify multiple applications (as many as desired) with
the appids keyword. A rule is considered a match if any of the applications
on the rule match. Note that this rule does not match specific content which
will reduce performance.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp any any -&gt; 192.168.0.1 any ( msg:"Alert ";
  appids:"telnet,ssh,smtp,http";</code></pre>
</div></div>
<div class="paragraph"><p>Below is a minimal Snort configuration that is sufficient to block flows
based on a specific HTTP header:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>stream = { }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>stream_tcp = { }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>binder =
{
    {
        when =
        {
            proto = 'tcp',
            ports = [[ 80 8080 ]],
        },
        use =
        {
            type = 'http_inspect',
        },
    },
}</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>http_inspect = { }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>appid = { }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>local_rules =
[[
block http ( msg:"openAppId: test content match for app http";
content:"X-Header: malicious"; sid:18760; rev:4; )
]]</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>ips =
{
    rules = local_rules,
}</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_session_application_identifiers">Session Application Identifiers</h4>
<div class="paragraph"><p>There are up to four AppIds stored in a session as defined below:</p></div>
<div class="ulist"><ul>
<li>
<p>
serviceAppId - An appId associated with server side of a session. Example:
  http server.
</p>
</li>
<li>
<p>
clientAppId - An appId associated with application on client side of a
  session.  Example: Firefox.
</p>
</li>
<li>
<p>
payloadAppId - For services like http this appId is associated with a
  webserver host.  Example: Facebook.
</p>
</li>
<li>
<p>
miscAppId - For some encapsulated protocols, this is the highest
  encapsulated application.
</p>
</li>
</ul></div>
<div class="paragraph"><p>For packets originating from the client, a payloadAppid in a session is
matched with all AppIds listed on a rule. Thereafter miscAppId, clientAppId
and serviceAppId are matched. Since Alert Events contain one AppId, only the
first match is reported. If a rule without an appids option matches, then the
most specific appId (in order of payload, misc, client, server) is reported.</p></div>
<div class="paragraph"><p>The same logic is followed for packets originating from the server with one
exception.  The order of matching is changed to make serviceAppId come
before clientAppId.</p></div>
</div>
<div class="sect3">
<h4 id="_appid_usage_statistics">AppId Usage Statistics</h4>
<div class="paragraph"><p>The AppId inspector prints application network usage periodically in the snort
log directory in unified2 format. File name, time interval for statistic and
file rollover are controlled by appId inspection configuration.</p></div>
</div>
<div class="sect3">
<h4 id="_open_detector_package_odp_installation">Open Detector Package (ODP) Installation</h4>
<div class="paragraph"><p>Application detectors from Snort team will be delivered in a separate package
called the Open Detector Package (ODP) that can be downloaded from snort.org.
ODP is a package that contains the following artifacts:</p></div>
<div class="ulist"><ul>
<li>
<p>
Application detectors in the Lua language.
</p>
</li>
<li>
<p>
Port detectors, which are port only application detectors, in meta-data in
  YAML format.
</p>
</li>
<li>
<p>
appMapping.data file containing application metadata. This file should not
  be modified.  The first column contains application identifier and second
  column contains application name.  Other columns contain internal
  information.
</p>
</li>
<li>
<p>
Lua library files DetectorCommon.lua, flowTrackerModule.lua and
  hostServiceTrackerModule.lua
</p>
</li>
</ul></div>
<div class="paragraph"><p>A user can install the ODP package in any directory and configure this
directory via the app_detector_dir option in the appid preprocessor
configuration.  Installing ODP will not modify any subdirectory named
custom, where user-created detectors are located.</p></div>
<div class="paragraph"><p>When installed, ODP will create following sub-directories:</p></div>
<div class="ulist"><ul>
<li>
<p>
odp/port    //Cisco port-only detectors
</p>
</li>
<li>
<p>
odp/lua     //Cisco Lua detectors
</p>
</li>
<li>
<p>
odp/libs    //Cisco Lua modules
</p>
</li>
</ul></div>
</div>
<div class="sect3">
<h4 id="_user_created_application_detectors">User Created Application Detectors</h4>
<div class="paragraph"><p>Users can detect new applications by adding detectors in the Lua language. A
document will be posted on the Snort Website with details on API. Users can also
copy over Snort team provided detectors and modify them. Users can also use the
detector creation tool described in the next section.</p></div>
<div class="paragraph"><p>Users must organize their Lua detectors and libraries by creating the
following directory structure, under the ODP installation directory.</p></div>
<div class="ulist"><ul>
<li>
<p>
custom/port    //port-only detectors
</p>
</li>
<li>
<p>
custom/lua     //Lua detectors
</p>
</li>
<li>
<p>
custom/libs    //Lua modules
</p>
</li>
</ul></div>
<div class="paragraph"><p>The root path is specified by the "app_detector_dir" parameter of the appid
section of snort.conf:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>appid  =
{
    app_detector_dir = '/usr/local/lib/openappid',
}</code></pre>
</div></div>
<div class="paragraph"><p>So the path to the user-created lua files would be
/usr/local/lib/openappid/custom/lua/</p></div>
<div class="paragraph"><p>None of the directories below /usr/local/lib/openappid/ would be added for
you.</p></div>
</div>
<div class="sect3">
<h4 id="_application_detector_creation_tool">Application Detector Creation Tool</h4>
<div class="paragraph"><p>For rudimentary Lua detectors, there is a tool provided called
appid_detector_builder.sh.  This is a simple, menu-driven bash script
which creates .lua files in your current directory, based on your choices
and on patterns you supply.</p></div>
<div class="paragraph"><p>When you launch the script, it will prompt for the Application Id
that you are giving for your detector. This is free-form ASCII with
minor restrictions. The Lua detector file will be named based on your
Application Id. If the file name already exists you will be prompted to
overwrite it.</p></div>
<div class="paragraph"><p>You will also be prompted for a description of your detector to be placed
in the comments of the Lua source code. This is optional.</p></div>
<div class="paragraph"><p>You will then be asked a series of questions designed to construct Lua
code based on the kind of pattern data, protocol, port(s), etc.</p></div>
<div class="paragraph"><p>When complete, the Protocol menu will be changed to include the option,
"Save Detector".  Instead of saving the file and exiting the script,
you are allowed to give additional criteria for another pattern which
may also be incorporated in the detection scheme. Then either pattern,
when matched, will be considered a valid detection.</p></div>
<div class="paragraph"><p>For example, your first choices might create an HTTP detection pattern
of "example.com", and the next set of choices would add the HTTP
detection pattern of "example.uk.co" (an equally fictional British
counterpart). They would then co-exist in the Lua detector, and either
would cause a detection with the name you give for your Application Id.</p></div>
<div class="paragraph"><p>The resulting .lua file will need to be placed in the directory,
"custom/lua", described in the previous section of the README above called
"User Created Application Detectors"</p></div>
</div>
</div>
<div class="sect2">
<h3 id="_binder">Binder</h3>
<div class="paragraph"><p>One of the fundamental differences between Snort 2 and Snort 3 concerns configuration
related to networks and ports. Here is a brief review of Snort 2 configuration for
network and service related components:</p></div>
<div class="ulist"><ul>
<li>
<p>
Snort&#8217;s configuration has a default policy and optional policies selected by
  VLAN or network (with config binding).
</p>
</li>
<li>
<p>
Each policy contains a user defined set of preprocessor configurations.
</p>
</li>
<li>
<p>
Each preprocessor has a default configuration and some support non-default
  configurations selected by network.
</p>
</li>
<li>
<p>
Most preprocessors have port configurations.
</p>
</li>
<li>
<p>
The default policy may also contain a list of ports to ignore.
</p>
</li>
</ul></div>
<div class="paragraph"><p>In Snort 3, the above configurations are done in a single module called the
binder.  Here is an example:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>binder =
{
    -- allow all tcp port 22:
    -- (similar to Snort 2 config ignore_ports)
    { when = { proto = 'tcp', ports = '22' }, use = { action = 'allow' } },</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>-- select a config file by vlan
-- (similar to Snort 2 config binding by vlan)
{ when = { vlans = '1024' }, use = { file = 'vlan.lua' } },</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>-- use a non-default HTTP inspector for port 8080:
-- (similar to a Snort 2 targeted preprocessor config)
{ when = { nets = '192.168.0.0/16', proto = 'tcp', ports = '8080' },
  use = { name = 'alt_http', type = 'http_inspect' } },</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>-- use the default inspectors:
-- (similar to a Snort 2 default preprocessor config)
{ when = { proto = 'tcp' }, use = { type = 'stream_tcp' } },
{ when = { service = 'http' }, use = { type = 'http_inspect' } },</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>    -- figure out which inspector to run automatically:
    { use = { type = 'wizard' } }
}</code></pre>
</div></div>
<div class="paragraph"><p>Bindings are evaluated when a session starts and again if and when service is
identified on the session.  Essentially, the bindings are a list of when-use
rules evaluated from top to bottom.  The first matching network and service
configurations are applied.  binder.when can contain any combination of
criteria and binder.use can specify an action, config file, or inspector
configuration.</p></div>
</div>
<div class="sect2">
<h3 id="_byte_rule_options">Byte rule options</h3>
<div class="sect3">
<h4 id="_byte_test">byte_test</h4>
<div class="paragraph"><p>This rule option tests a byte field against a specific value (with
operator). Capable of testing binary values or converting
representative byte strings to their binary equivalent and testing them.</p></div>
<div class="paragraph"><p>Snort uses the C operators for each of these operators. If the &amp;
operator is used, then it would be the same as using</p></div>
<div class="listingblock">
<div class="content"><!-- Generator: GNU source-highlight
by Lorenzo Bettini
http://www.lorenzobettini.it
http://www.gnu.org/software/src-highlite -->
<pre><tt><span style="font-weight: bold"><span style="color: #0000FF">if</span></span> <span style="color: #990000">(</span>data <span style="color: #990000">&amp;</span> value<span style="color: #990000">)</span> <span style="color: #FF0000">{</span> <span style="font-weight: bold"><span style="color: #000000">do_something</span></span><span style="color: #990000">();</span> <span style="color: #FF0000">}</span></tt></pre></div></div>
<div class="paragraph"><p><em>!</em> operator negates the results from the base check. <em>!&lt;oper&gt;</em> is
considered as</p></div>
<div class="listingblock">
<div class="content"><!-- Generator: GNU source-highlight
by Lorenzo Bettini
http://www.lorenzobettini.it
http://www.gnu.org/software/src-highlite -->
<pre><tt><span style="color: #990000">!(</span>data <span style="color: #990000">&lt;</span>oper<span style="color: #990000">&gt;</span> value<span style="color: #990000">)</span></tt></pre></div></div>
<div class="paragraph"><p>Note:
The bitmask option applies bitwise AND operator on the bytes
converted. The result will be right-shifted by the number of bits
equal to the number of trailing zeros in the mask.
This applies for the other rule options as well.</p></div>
<div class="sect4">
<h5 id="_examples">Examples</h5>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp (byte_test:2, =, 568, 0, bitmask 0x3FF0;)</code></pre>
</div></div>
<div class="paragraph"><p>This example extracts 2 bytes at offset 0, performs bitwise and with
bitmask 0x3FF0, shifts the result by 4 bits and compares to 568.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert udp (byte_test:4, =, 1234, 0, string, dec;
    msg:"got 1234!";)</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>alert udp (byte_test:8, =, 0xdeadbeef, 0, string, hex;
    msg:"got DEADBEEF!";)</code></pre>
</div></div>
</div>
</div>
<div class="sect3">
<h4 id="_byte_jump">byte_jump</h4>
<div class="paragraph"><p>The byte_jump rule option allows rules to be written for length
encoded protocols trivially. By having an option that reads the
length of a portion of data, then skips that far forward in the
packet, rules can be written that skip over specific portions of
length-encoded protocols and perform detection in very specific
locations.</p></div>
<div class="sect4">
<h5 id="_examples_2">Examples</h5>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp (content:"Begin";
    byte_jump:0, 0, from_end, post_offset -6;
    content:"end..", distance 0, within 5;
    msg:"Content match from end of the payload";)</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp (content:"catalog";
    byte_jump:2, 1, relative, post_offset 2, bitmask 0x03f0;
    byte_test:2, =, 968, 0, relative;
    msg:"Bitmask applied on the 2 bytes extracted for byte_jump";)</code></pre>
</div></div>
</div>
</div>
<div class="sect3">
<h4 id="_byte_extract">byte_extract</h4>
<div class="paragraph"><p>The byte_extract keyword is another useful option for writing rules
against length-encoded protocols. It reads in some number of bytes
from the packet payload and saves it to a variable. These variables
can be referenced later in the rule, instead of using hard-coded values.</p></div>
<div class="sect4">
<h5 id="_other_options_which_use_byte_extract_variables">Other options which use byte_extract variables</h5>
<div class="paragraph"><p>A byte_extract rule option detects nothing by itself. Its use is in
extracting packet data for use in other rule options.</p></div>
<div class="paragraph"><p>Here is a list of places where byte_extract variables can be used:</p></div>
<div class="ulist"><ul>
<li>
<p>
content/uricontent: offset, depth, distance, within
</p>
</li>
<li>
<p>
byte_test: offset, value
</p>
</li>
<li>
<p>
byte_jump: offset, post_offset
</p>
</li>
<li>
<p>
isdataat: offset
</p>
</li>
</ul></div>
</div>
<div class="sect4">
<h5 id="_examples_3">Examples</h5>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp (byte_extract:1, 0, str_offset;
    byte_extract:1, 1, str_depth;
    content:"bad stuff", offset str_offset, depth str_depth;
    msg:"Bad Stuff detected within field";)</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp (content:"START"; byte_extract:1, 0, myvar, relative;
    byte_jump:1, 3, relative, post_offset myvar;
    content:"END", distance 6, within 3;
    msg: "byte_jump - pass variable to post_offset";)</code></pre>
</div></div>
<div class="paragraph"><p>This example uses two variables.</p></div>
<div class="paragraph"><p>The first variable keeps the offset of a string, read from a byte at offset 0.
The second variable keeps the depth of a string, read from a byte at offset 1.
These values are used to constrain a pattern match to a smaller area.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp (content:"|04 63 34 35|", offset 4, depth 4;
    byte_extract: 2, 0, var_match, relative, bitmask 0x03ff;
    byte_test: 2, =, var_match, 2, relative;
    msg:"Test value match, after applying bitmask on bytes extracted";)</code></pre>
</div></div>
</div>
</div>
<div class="sect3">
<h4 id="_byte_math">byte_math</h4>
<div class="paragraph"><p>Perform a mathematical operation on an extracted value and a specified
value or existing variable, and store the outcome in a new resulting
variable. These resulting variables can be referenced later in the
rule, at the same places as byte_extract variables.</p></div>
<div class="paragraph"><p>The syntax for this rule option is different. The order of the options
is critical for the other rule options and can&#8217;t be changed. For
example, the first option is the number of bytes to extract.
Here the name of the option is explicitly written, for example : bytes 2.
The order is not important.</p></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/note.png" alt="Note" />
</td>
<td class="content">Byte_math operations are performed on unsigned 32-bit values. When
      writing a rule it should be taken into consideration to avoid wrap around.</td>
</tr></table>
</div>
<div class="sect4">
<h5 id="_examples_4">Examples</h5>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp ( byte_math: bytes 2, offset 0, oper *, rvalue 10, result area;
   byte_test:2,&gt;,area,16;)</code></pre>
</div></div>
<div class="paragraph"><p>At the zero offset of the payload, extract 2 bytes and apply multiplication operation with
value 10. Store result in variable area. The area variable is given as
input to byte_test value option.</p></div>
<div class="paragraph"><p>Let&#8217;s consider 2 bytes of extracted data is 5. The rvalue is 10.
Result variable area is 50 ( 5 * 10 ).
Area variable can be used in either byte_test offset/value options.</p></div>
</div>
</div>
<div class="sect3">
<h4 id="_testing_numerical_values">Testing Numerical Values</h4>
<div class="paragraph"><p>The rule options byte_test and byte_jump were written to support
writing rules for protocols that have length encoded data. RPC was
the protocol that spawned the requirement for these two rule options,
as RPC uses simple length based encoding for passing data.</p></div>
<div class="paragraph"><p>In order to understand why byte test and byte jump are useful, let&#8217;s
go through an exploit attempt against the sadmind service.</p></div>
<div class="paragraph"><p>This is the payload of the exploit:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>89 09 9c e2 00 00 00 00 00 00 00 02 00 01 87 88  ................
00 00 00 0a 00 00 00 01 00 00 00 01 00 00 00 20  ...............
40 28 3a 10 00 00 00 0a 4d 45 54 41 53 50 4c 4f  @(:.....metasplo
49 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00  it..............
00 00 00 00 00 00 00 00 40 28 3a 14 00 07 45 df  ........@(:...e.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 04  ................
7f 00 00 01 00 01 87 88 00 00 00 0a 00 00 00 04  ................
7f 00 00 01 00 01 87 88 00 00 00 0a 00 00 00 11  ................
00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 3b 4d 45 54 41 53 50 4c 4f  .......;metasplo
49 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00  it..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 06 73 79 73 74 65 6d 00 00  ........system..
00 00 00 15 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f  ....../../../../
2e 2e 2f 62 69 6e 2f 73 68 00 00 00 00 00 04 1e  ../bin/sh.......</code></pre>
</div></div>
<div class="paragraph"><p>Let&#8217;s break this up, describe each of the fields, and figure out how to write a
rule to catch this exploit.</p></div>
<div class="paragraph"><p>There are a few things to note with RPC:</p></div>
<div class="paragraph"><p>Numbers are written as uint32s, taking four bytes.  The number 26 would
show up as 0x0000001a.</p></div>
<div class="paragraph"><p>Strings are written as a uint32 specifying the length of the string, the
string, and then null bytes to pad the length of the string to end on a 4-byte
boundary.  The string <em>bob</em> would show up as 0x00000003626f6200.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>89 09 9c e2     - the request id, a random uint32, unique to each request
00 00 00 00     - rpc type (call = 0, response = 1)
00 00 00 02     - rpc version (2)
00 01 87 88     - rpc program (0x00018788 = 100232 = sadmind)
00 00 00 0a     - rpc program version (0x0000000a = 10)
00 00 00 01     - rpc procedure (0x00000001 = 1)
00 00 00 01     - credential flavor (1 = auth_unix)
00 00 00 20     - length of auth_unix data (0x20 = 32)</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>## the next 32 bytes are the auth_unix data
40 28 3a 10 - unix timestamp (0x40283a10 = 1076378128 = feb 10 01:55:28 2004 gmt)
00 00 00 0a - length of the client machine name (0x0a = 10)
4d 45 54 41 53 50 4c 4f 49 54 00 00  - metasploit</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>00 00 00 00 - uid of requesting user (0)
00 00 00 00 - gid of requesting user (0)
00 00 00 00 - extra group ids (0)</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>00 00 00 00 - verifier flavor (0 = auth_null, aka none)
00 00 00 00 - length of verifier (0, aka none)</code></pre>
</div></div>
<div class="paragraph"><p>The rest of the packet is the request that gets passed to procedure 1 of
sadmind.</p></div>
<div class="paragraph"><p>However, we know the vulnerability is that sadmind trusts the uid coming from
the client.  sadmind runs any request where the client&#8217;s uid is 0 as root.  As
such, we have decoded enough of the request to write our rule.</p></div>
<div class="paragraph"><p>First, we need to make sure that our packet is an RPC call.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>content:"|00 00 00 00|", offset 4, depth 4;</code></pre>
</div></div>
<div class="paragraph"><p>Then, we need to make sure that our packet is a call to sadmind.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>content:"|00 01 87 88|", offset 12, depth 4;</code></pre>
</div></div>
<div class="paragraph"><p>Then, we need to make sure that our packet is a call to the procedure 1, the
vulnerable procedure.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>content:"|00 00 00 01|", offset 20, depth 4;</code></pre>
</div></div>
<div class="paragraph"><p>Then, we need to make sure that our packet has auth_unix credentials.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>content:"|00 00 00 01|", offset 24, depth 4;</code></pre>
</div></div>
<div class="paragraph"><p>We don&#8217;t care about the hostname, but we want to skip over it and check a
number value after the hostname.  This is where byte_test is useful.  Starting
at the length of the hostname, the data we have is:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>00 00 00 0a 4d 45 54 41 53 50 4c 4f 49 54 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00</code></pre>
</div></div>
<div class="paragraph"><p>We want to read 4 bytes, turn it into a number, and jump that many bytes
forward, making sure to account for the padding that RPC requires on strings.
If we do that, we are now at:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00</code></pre>
</div></div>
<div class="paragraph"><p>which happens to be the exact location of the uid, the value we want to check.</p></div>
<div class="paragraph"><p>In English, we want to read 4 bytes, 36 bytes from the beginning of the packet,
and turn those 4 bytes into an integer and jump that many bytes forward,
aligning on the 4-byte boundary.  To do that in a Snort rule, we use:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>byte_jump:4,36,align;</code></pre>
</div></div>
<div class="paragraph"><p>then we want to look for the uid of 0.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>content:"|00 00 00 00|", within 4;</code></pre>
</div></div>
<div class="paragraph"><p>Now that we have all the detection capabilities for our rule, let&#8217;s put them
all together.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>content:"|00 00 00 00|", offset 4, depth 4;
content:"|00 01 87 88|", offset 12, depth 4;
content:"|00 00 00 01|", offset 20, depth 4;
content:"|00 00 00 01|", offset 24, depth 4;
byte_jump:4,36,align;
content:"|00 00 00 00|", within 4;</code></pre>
</div></div>
<div class="paragraph"><p>The 3rd and fourth string match are right next to each other, so we should
combine those patterns.  We end up with:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>content:"|00 00 00 00|", offset 4, depth 4;
content:"|00 01 87 88|", offset 12, depth 4;
content:"|00 00 00 01 00 00 00 01|", offset 20, depth 8;
byte_jump:4,36,align;
content:"|00 00 00 00|", within 4;</code></pre>
</div></div>
<div class="paragraph"><p>If the sadmind service was vulnerable to a buffer overflow when reading the
client&#8217;s hostname, instead of reading the length of the hostname and jumping
that many bytes forward, we would check the length of the hostname to make sure
it is not too large.</p></div>
<div class="paragraph"><p>To do that, we would read 4 bytes, starting 36 bytes into the packet, turn it
into a number, and then make sure it is not too large (let&#8217;s say bigger than
200 bytes).  In Snort, we do:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>byte_test:4,&gt;,200,36;</code></pre>
</div></div>
<div class="paragraph"><p>Our full rule would be:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>content:"|00 00 00 00|", offset 4, depth 4;
content:"|00 01 87 88|", offset 12, depth 4;
content:"|00 00 00 01 00 00 00 01|", offset 20, depth 8;
byte_test:4,&gt;,200,36;</code></pre>
</div></div>
</div>
</div>
<div class="sect2">
<h3 id="_dce_inspectors">DCE Inspectors</h3>
<div class="paragraph"><p>The main purpose of these inspector are to perform SMB desegmentation and
DCE/RPC defragmentation to avoid rule evasion using these techniques.</p></div>
<div class="sect3">
<h4 id="_overview_3">Overview</h4>
<div class="paragraph"><p>The following transports are supported for DCE/RPC: SMB, TCP, and UDP.
New rule options have been implemented to improve performance, reduce false
positives and reduce the count and complexity of DCE/RPC based rules.</p></div>
<div class="paragraph"><p>Different from Snort 2, the DCE-RPC preprocessor is split into three inspectors
 - one for each transport: dce_smb, dce_tcp, dce_udp. This includes the
configuration as well as the inspector modules. The Snort 2 server configuration
is now split between the inspectors. Options that are meaningful to all
inspectors, such as policy and defragmentation, are copied into each inspector
configuration. The address/port mapping is handled by the binder. Autodetect
functionality is replaced by wizard curses.</p></div>
</div>
<div class="sect3">
<h4 id="_quick_guide">Quick Guide</h4>
<div class="paragraph"><p>A typical dcerpce configuration looks like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>binder =
{
   {
       when =
       {
           proto = 'tcp',
           ports = '139 445 1025',
        },
       use =
       {
           type = 'dce_smb',
       },
    },
    {
       when =
       {
           proto = 'tcp',
           ports = '135 2103',
       },
       use =
       {
           type = 'dce_tcp',
       },
    },
    {
       when =
       {
           proto = 'udp',
           ports = '1030',
       },
       use =
       {
           type = 'dce_udp',
       },
    }
 }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>dce_smb = { }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>dce_tcp = { }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>dce_udp = { }</code></pre>
</div></div>
<div class="paragraph"><p>In this example, it defines smb, tcp and udp inspectors based on port. All the
configurations are default.</p></div>
</div>
<div class="sect3">
<h4 id="_target_based">Target Based</h4>
<div class="paragraph"><p>There are enough important differences between Windows and Samba versions that
a target based approach has been implemented. Some important differences:</p></div>
<div class="ulist"><ul>
<li>
<p>
Named pipe instance tracking
</p>
</li>
<li>
<p>
Accepted SMB commands
</p>
</li>
<li>
<p>
AndX command chaining
</p>
</li>
<li>
<p>
Transaction tracking
</p>
</li>
<li>
<p>
Multiple Bind requests
</p>
</li>
<li>
<p>
DCE/RPC Fragmented requests - Context ID
</p>
</li>
<li>
<p>
DCE/RPC Fragmented requests - Operation number
</p>
</li>
<li>
<p>
DCE/RPC Stub data byte order
</p>
</li>
</ul></div>
<div class="paragraph"><p>Because of those differences, each inspector can be configured to different
policy. Here are the list of policies supported:</p></div>
<div class="ulist"><ul>
<li>
<p>
WinXP (default)
</p>
</li>
<li>
<p>
Win2000
</p>
</li>
<li>
<p>
WinVista
</p>
</li>
<li>
<p>
Win2003
</p>
</li>
<li>
<p>
Win2008
</p>
</li>
<li>
<p>
Win7
</p>
</li>
<li>
<p>
Samba
</p>
</li>
<li>
<p>
Samba-3.0.37
</p>
</li>
<li>
<p>
Samba-3.0.22
</p>
</li>
<li>
<p>
Samba-3.0.20
</p>
</li>
</ul></div>
</div>
<div class="sect3">
<h4 id="_reassembling">Reassembling</h4>
<div class="paragraph"><p>Both SMB inspector and TCP inspector support reassemble. Reassemble threshold
specifies a minimum number of bytes in the DCE/RPC desegmentation and
defragmentation buffers before creating a reassembly packet to send to the
detection engine. This option is useful in inline mode so as to potentially
catch an exploit early before full defragmentation is done. A value of 0 s
supplied as an argument to this option will, in effect, disable this option.
Default is disabled.</p></div>
</div>
<div class="sect3">
<h4 id="_smb">SMB</h4>
<div class="paragraph"><p>SMB inspector is one of the most complex inspectors. In addition to supporting
rule options and lots of inspector rule events, it also supports file
processing for both SMB version 1, 2, and 3.</p></div>
<div class="sect4">
<h5 id="_finger_print_policy">Finger Print Policy</h5>
<div class="paragraph"><p>In the initial phase of an SMB session, the client needs to authenticate with a
SessionSetupAndX.  Both the request and response to this command contain OS and
version information that can allow the inspector to dynamically set the policy
for a session which allows for better protection against Windows and Samba
specific evasions.</p></div>
</div>
<div class="sect4">
<h5 id="_file_inspection">File Inspection</h5>
<div class="paragraph"><p>SMB inspector supports file inspection. A typical configuration looks like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>binder =
{
   {
       when =
       {
           proto = 'tcp',
           ports = '139 445',
       },
       use =
       {
           type = 'dce_smb',
       },
   },
}</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>dce_smb =
{
    smb_file_inspection = 'on',
    smb_file_depth = 0,
 }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>file_id =
{
    enable_type = true,
    enable_signature = true,
    enable_capture = true,
    file_rules = magics,
}</code></pre>
</div></div>
<div class="paragraph"><p>First, define a binder to map tcp port 139 and 445 to smb. Then, enable file
inspection in smb inspection and set the file depth as unlimited. Lastly, enable
file inspector to inspect file type, calculate file signature, and capture file.
The details of file inspector are explained in file processing section.</p></div>
<div class="paragraph"><p>SMB inspector does inspection of normal SMB file transfers.  This includes doing
file type and signature through the file processing as well as setting a pointer
for the "file_data" rule option.  Note that the "file_depth" option only applies
to the maximum amount of file data for which it will set the pointer for the
"file_data" rule option.  For file type and signature it will use the value
configured for the file API.  If "only" is specified, the inspector will only
do SMB file inspection, i.e. it will not do any DCE/RPC tracking or inspection.
If "on" is specified with no arguments, the default file depth is 16384 bytes.
An argument of -1 to "file-depth" disables setting the pointer for "file_data",
effectively disabling SMB file inspection in rules.  An argument of 0 to
"file_depth" means unlimited.  Default is "off", i.e. no SMB file inspection is
 done in the inspector.</p></div>
</div>
</div>
<div class="sect3">
<h4 id="_tcp">TCP</h4>
<div class="paragraph"><p>dce_tcp inspector supports defragmentation, reassembling, and policy that is
similar to SMB.</p></div>
</div>
<div class="sect3">
<h4 id="_udp">UDP</h4>
<div class="paragraph"><p>dce_udp is a very simple inspector that only supports defragmentation</p></div>
</div>
<div class="sect3">
<h4 id="_rule_options">Rule Options</h4>
<div class="paragraph"><p>New rule options are supported by enabling the dcerpc2 inspectors:</p></div>
<div class="ulist"><ul>
<li>
<p>
dce_iface
</p>
</li>
<li>
<p>
dce_opnum
</p>
</li>
<li>
<p>
dce_stub_data
</p>
</li>
</ul></div>
<div class="paragraph"><p>New modifiers to existing byte_test and byte_jump rule options:</p></div>
<div class="ulist"><ul>
<li>
<p>
byte_test: dce
</p>
</li>
<li>
<p>
byte_jump: dce
</p>
</li>
</ul></div>
<div class="sect4">
<h5 id="_dce_iface">dce_iface</h5>
<div class="paragraph"><p>For DCE/RPC based rules it has been necessary to set flow-bits based on a client
bind to a service to avoid false positives. It is necessary for a client to bind
to a service before being able to make a call to it. When a client sends a bind
request to the server, it can, however, specify one or more service interfaces
to bind to.  Each interface is represented by a UUID. Each interface UUID is
paired with a unique index (or context id) that future requests can use to
reference the service that the client is making a call to. The server will
respond with the interface UUIDs it accepts as valid and will allow the client
to make requests to those services.  When a client makes a request, it will
specify the context id so the server knows what service the client is making a
request to. Instead of using flow-bits, a rule can simply ask the inspector,
using this rule option, whether or not the client has bound to a specific
interface UUID and whether or not this client request is making a request to it.
This can eliminate false positives where more than one service is bound to
successfully since the inspector can correlate the bind UUID to the context
id used in the request.  A DCE/RPC request can specify whether numbers are
represented as big endian or little endian. The representation of the interface
UUID is different depending on the endianness specified in the DCE/RPC
previously requiring two rules - one for big endian and one for little endian.
The inspector eliminates the need for two rules by normalizing the UUID.
An interface contains a version. Some versions of an interface may not be
vulnerable to a certain exploit.  Also, a DCE/RPC request can be broken up into
1 or more fragments. Flags (and a field in the connectionless header) are set in
the DCE/RPC header to indicate whether the fragment is the first, a middle or
the last fragment. Many checks for data in the DCE/RPC request are only relevant
if the DCE/RPC request is a first fragment (or full request), since subsequent
fragments will contain data deeper into the DCE/RPC request. A rule which is
looking for data, say 5 bytes into the request (maybe it&#8217;s a length field), will
be looking at the wrong data on a fragment other than the first, since the
beginning of subsequent fragments are already offset some length from the
beginning of the request. This can be a source of false positives in fragmented
DCE/RPC traffic. By default it is reasonable to only evaluate if the request is
a first fragment (or full request). However, if the "any_frag" option is used to
specify evaluating on all fragments.</p></div>
<div class="paragraph"><p>Examples:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188;
dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,&lt;2;
dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,any_frag;
dce_iface: 4b324fc8-1670-01d3-1278-5a47bf6ee188,=1,any_frag;</code></pre>
</div></div>
<div class="paragraph"><p>This option is used to specify an interface UUID. Optional arguments are an
interface version and operator to specify that the version be less than (<em>&lt;</em>),
greater than (<em>&gt;</em>), equal to (<em>=</em>) or not equal to (<em>!</em>) the version specified.
Also, by default the rule will only be evaluated for a first fragment (or full
request, i.e. not a fragment) since most rules are written to start at the
beginning of a request. The "any_frag" argument says to evaluate for middle and
last fragments as well.  This option requires tracking client Bind and
Alter Context requests as well as server Bind Ack and Alter Context responses
for connection-oriented DCE/RPC in the inspector. For each Bind and
Alter Context request, the client specifies a list of interface UUIDs along
with a handle (or context id) for each interface UUID that will be used during
the DCE/RPC session to reference the interface.  The server response indicates
which interfaces it will allow the client to make requests to - it either
accepts or rejects the client&#8217;s wish to bind to a certain interface. This
tracking is required so that when a request is processed, the context id used
in the request can be correlated with the interface UUID it is a handle for.</p></div>
<div class="paragraph"><p>hexlong and hexshort will be specified and interpreted to be in big endian
order (this is usually the default way an interface UUID will be seen and
represented). As an example, the following Messenger interface UUID as taken
off the wire from a little endian Bind request:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>|f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 e6 fc|</code></pre>
</div></div>
<div class="paragraph"><p>must be written as:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc</code></pre>
</div></div>
<div class="paragraph"><p>The same UUID taken off the wire from a big endian Bind request:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>|5a 7b 91 f8 ff 00 11 d0 a9 b2 00 c0 4f b6 e6 fc|</code></pre>
</div></div>
<div class="paragraph"><p>must be written the same way:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc</code></pre>
</div></div>
<div class="paragraph"><p>This option matches if the specified interface UUID matches the interface UUID
(as referred to by the context id) of the DCE/RPC request and if supplied, the
version operation is true. This option will not match if the fragment is not a
first fragment (or full request) unless the "any_frag" option is supplied in
which case only the interface UUID and version need match.  Note that a
defragmented DCE/RPC request will be considered a full request.</p></div>
<div class="paragraph"><p>Using this rule option will automatically insert fast pattern contents into
the fast pattern matcher.  For UDP rules, the interface UUID, in both big and
little endian format will be inserted into the fast pattern matcher.  For TCP
rules, (1) if the rule option "flow:to_server|from_client" is used, |05 00 00|
will be inserted into the fast pattern matcher, (2) if the rule option
"flow:from_server|to_client" is used, |05 00 02| will be inserted into the
fast pattern matcher and (3) if the flow isn&#8217;t known, |05 00| will be inserted
into the fast pattern matcher.  Note that if the rule already has content rule
options in it, the best (meaning longest) pattern will be used.  If a content
in the rule uses the fast_pattern rule option, it will unequivocally be used
over the above mentioned patterns.</p></div>
</div>
<div class="sect4">
<h5 id="_dce_opnum">dce_opnum</h5>
<div class="paragraph"><p>The opnum represents a specific function call to an interface. After is has
been determined that a client has bound to a specific interface and is making
a request to it (see above - dce_iface) usually we want to know what function
call it is making to that service. It is likely that an exploit lies in the
particular DCE/RPC function call.</p></div>
<div class="paragraph"><p>Examples:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>dce_opnum: 15;
dce_opnum: 15-18;
dce_opnum: 15,18-20;
dce_opnum: 15,17,20-22;</code></pre>
</div></div>
<div class="paragraph"><p>This option is used to specify an opnum (or operation number), opnum range or
list containing either or both opnum and/or opnum-range. The opnum of a
DCE/RPC request will be matched against the opnums specified with this option.
This option matches if any one of the opnums specified match the opnum of the
DCE/RPC request.</p></div>
</div>
<div class="sect4">
<h5 id="_dce_stub_data">dce_stub_data</h5>
<div class="paragraph"><p>Since most DCE/RPC based rules had to do protocol decoding only to get to the
DCE/RPC stub data, i.e. the remote procedure call or function call data, this
option will alleviate this need and place the cursor at the beginning of the
DCE/RPC stub data. This reduces the number of rule option checks and the
complexity of the rule.</p></div>
<div class="paragraph"><p>This option takes no arguments.</p></div>
<div class="paragraph"><p>Example:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>dce_stub_data;</code></pre>
</div></div>
<div class="paragraph"><p>This option is used to place the cursor (used to walk the packet payload in
rules processing) at the beginning of the DCE/RPC stub data, regardless of
preceding rule options. There are no arguments to this option.  This option
matches if there is DCE/RPC stub data.</p></div>
<div class="paragraph"><p>The cursor is moved to the beginning of the stub data.  All ensuing rule
options will be considered "sticky" to this buffer.  The first rule option
following dce_stub_data should use absolute location modifiers if it is
position-dependent.  Subsequent rule options should use a relative modifier if
they are meant to be relative to a previous rule option match in the stub data
buffer.  Any rule option that does not specify a relative modifier will be
evaluated from the start of the stub data buffer.  To leave the stub data buffer
and return to the main payload buffer, use the "pkt_data" rule option.</p></div>
</div>
<div class="sect4">
<h5 id="_byte_test_and_byte_jump">byte_test and byte_jump</h5>
<div class="paragraph"><p>A DCE/RPC request can specify whether numbers are represented in big or little
endian. These rule options will take as a new argument "dce" and will work
basically the same as the normal byte_test/byte_jump, but since the DCE/RPC
inspector will know the endianness of the request, it will be able to do
the correct conversion.</p></div>
<div class="paragraph"><p>Examples:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>byte_test: 4,&gt;,35000,0,relative,dce;
byte_test: 2,!=,2280,-10,relative,dce;</code></pre>
</div></div>
<div class="paragraph"><p>When using the "dce" argument to a byte_test, the following normal byte_test
arguments will not be allowed: "big", "little", "string", "hex", "dec" and
"oct".</p></div>
<div class="paragraph"><p>Examples:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>byte_jump:4,-4,relative,align,multiplier 2,post_offset -4,dce;</code></pre>
</div></div>
<div class="paragraph"><p>When using the dce argument to a byte_jump, the following normal byte_jump
arguments will not be allowed: "big", "little", "string", "hex", "dec", "oct"
and "from_beginning"</p></div>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_file_processing">File Processing</h3>
<div class="paragraph"><p>With the volume of malware transferred through network increasing,
network file inspection becomes more and more important. This feature
will provide file type identification, file signature creation, and file
capture capabilities to help users deal with those challenges.</p></div>
<div class="sect3">
<h4 id="_overview_4">Overview</h4>
<div class="paragraph"><p>There are two parts of file services: file APIs and file policy.
File APIs provides all the file inspection functionalities, such as file
type identification, file signature calculation, and file capture.
File policy provides users ability to control file services, such
as enable/disable/configure file type identification, file signature, or
file capture.</p></div>
<div class="paragraph"><p>In addition to all capabilities from Snort 2, we support customized file
policy along with file event log.</p></div>
<div class="ulist"><ul>
<li>
<p>
Supported protocols: HTTP, SMTP, IMAP, POP3, FTP, and SMB.
</p>
</li>
<li>
<p>
Supported file signature calculation: SHA256
</p>
</li>
</ul></div>
</div>
<div class="sect3">
<h4 id="_quick_guide_2">Quick Guide</h4>
<div class="paragraph"><p>A very simple configuration has been included in lua/snort.lua file.
A typical file configuration looks like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>dofile('magic.lua')</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>my_file_policy =
{
    {  when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }
    {  when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },
    {  when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },
}</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>file_id =
{
    enable_type = true,
    enable_signature = true,
    enable_capture = true,
    file_rules = magics,
    trace_type = true,
    trace_signature = true,
    trace_stream = true,
    file_policy = my_file_policy,
 }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>file_log =
{
    log_pkt_time = true,
    log_sys_time = false,
}</code></pre>
</div></div>
<div class="paragraph"><p>There are 3 steps to enable file processing:</p></div>
<div class="ulist"><ul>
<li>
<p>
First, you need to include the file magic rules.
</p>
</li>
<li>
<p>
Then, define the file policy and configure the inspector
</p>
</li>
<li>
<p>
At last, enable file_log to get detailed information about file event
</p>
</li>
</ul></div>
</div>
<div class="sect3">
<h4 id="_pre_packaged_file_magic_rules">Pre-packaged File Magic Rules</h4>
<div class="paragraph"><p>A set of file magic rules is packaged with Snort. They can be located at
"lua/file_magic.lua". To use this feature, it is recommended that these
pre-packaged rules are used; doing so requires that you include
the file in your Snort configuration as such (already in snort.lua):</p></div>
<div class="literalblock">
<div class="content">
<pre><code>dofile('magic.lua')</code></pre>
</div></div>
<div class="paragraph"><p>Example:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>{ type = "GIF", id = 62, category = "Graphics", rev = 1,
  magic = { { content = "| 47 49 46 38 37 61 |",offset = 0 } } },</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>{ type = "GIF", id = 63, category = "Graphics", rev = 1,
  magic = { { content = "| 47 49 46 38 39 61 |",offset = 0 } } },</code></pre>
</div></div>
<div class="paragraph"><p>The previous two rules define GIF format, because two file magics are
different. File magics are specified by content and offset, which look
at content at particular file offset to identify the file type. In this
case, two magics look at the beginning of the file. You can use character
if it is printable or hex value in between "|".</p></div>
</div>
<div class="sect3">
<h4 id="_file_policy">File Policy</h4>
<div class="paragraph"><p>You can enabled file type, file signature, or file capture by configuring
file_id. In addition, you can enable trace to see file stream data, file
type, and file signature information.</p></div>
<div class="paragraph"><p>Most importantly, you can configure a file policy that can block/alert
some file type or an individual file based on SHA. This allows you
build a file blacklist or whitelist.</p></div>
<div class="paragraph"><p>Example:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>file_policy =
{
    {  when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },
    {  when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },
    {  when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }
}</code></pre>
</div></div>
<div class="paragraph"><p>In this example, it enables this policy:</p></div>
<div class="ulist"><ul>
<li>
<p>
For PDF files, they will be logged with signatures.
</p>
</li>
<li>
<p>
For the file matching this SHA, it will be blocked
</p>
</li>
<li>
<p>
For all file types identified, they will be logged with signature, and
also captured onto log folder.
</p>
</li>
</ul></div>
</div>
<div class="sect3">
<h4 id="_file_capture">File Capture</h4>
<div class="paragraph"><p>File can be captured and stored to log folder. We use SHA as file name
instead of actual file name to avoid conflicts. You can capture either
all files, some file type, or a particular file based on SHA.</p></div>
<div class="paragraph"><p>You can enable file capture through this config:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>enable_capture = true,</code></pre>
</div></div>
<div class="paragraph"><p>or enable it for some file or  file type in your file policy:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>{  when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_capture = true } },</code></pre>
</div></div>
<div class="paragraph"><p>The above rule will enable PDF file capture.</p></div>
</div>
<div class="sect3">
<h4 id="_file_events">File Events</h4>
<div class="paragraph"><p>File inspect preprocessor also works as a dynamic output plugin for file
events. It logs basic information about file. The log file is in the same
folder as other log files with name starting with "file.log".</p></div>
<div class="paragraph"><p>Example:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>file_log = { log_pkt_time = true, log_sys_time = false }</code></pre>
</div></div>
<div class="paragraph"><p>All file events will be logged in packet time, system time is not logged.</p></div>
<div class="paragraph"><p>File event example:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>08/14-19:14:19.100891  10.22.75.72:33734 -&gt; 10.22.75.36:80,
[Name: "malware.exe"] [Verdict: Block] [Type: MSEXE]
[SHA: 6F26E721FDB1AAFD29B41BCF90196DEE3A5412550615A856DAE8E3634BCE9F7A]
[Size: 1039328]</code></pre>
</div></div>
</div>
</div>
<div class="sect2">
<h3 id="_high_availability">High Availability</h3>
<div class="paragraph"><p>High Availability includes the HA flow synchronization and the SideChannel
messaging subsystems.</p></div>
<div class="sect3">
<h4 id="_ha">HA</h4>
<div class="paragraph"><p>HighAvailability (or HA) is a Snort module that provides state coherency
between two partner snort instances.  It uses SideChannel for messaging.</p></div>
<div class="paragraph"><p>There can be multiple types of HA within Snort and Snort plugins.  HA
implements an extensible architecture to enable plugins to subscribe to the
base flow HA messaging.  These plugins can then include their own messages
along with the flow cache HA messages.</p></div>
<div class="paragraph"><p>HA produces and consumes two type of messages:</p></div>
<div class="ulist"><ul>
<li>
<p>
Update - Update flow status.  Plugins may add their own data to the messages
</p>
</li>
<li>
<p>
Delete - A flow has been removed from the cache
</p>
</li>
</ul></div>
<div class="paragraph"><p>The HA module is configured with these items:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>high_availability =
{
    ports = "1",
    enable = true,
    min_age = 0,
    min_sync = 0
}</code></pre>
</div></div>
<div class="paragraph"><p>The <em>ports</em> item maps to the SideChannel port to use for the HA messaging.</p></div>
<div class="paragraph"><p>The <em>enabled</em> item controls the overall HA operation.</p></div>
<div class="paragraph"><p>The items min_age and min_sync are used in the stream HA logic.  min_age is
the number of milliseconds that a flow must exist in the flow cache before sending
HA messages to the partner.  min_sync is the minimum time between HA status
updates.  HA messages for a particular flow will not be sent faster than
min_sync.  Both are expressed as a number of milliseconds.</p></div>
<div class="paragraph"><p>HA messages are composed of the base <em>stream</em> information plus any content
from additional modules.  Modules subscribe HA in order to add message
content.  The <em>stream</em> HA content is always present in the messages while
the ancillary module content is only present when requested via a status
change request.</p></div>
</div>
<div class="sect3">
<h4 id="_connector">Connector</h4>
<div class="paragraph"><p>Connectors are a set of modules that are used to exchange message-oriented
data among Snort threads and the external world.  A typical use-case is
HA (High Availability) message exchange.  Connectors serve to decouple the
message transport from the message creation/consumption.  Connectors expose
a common API for several forms of message transport.</p></div>
<div class="paragraph"><p>Connectors are a Snort plugin type.</p></div>
<div class="sect4">
<h5 id="_connector_parent_plugin_class">Connector (parent plugin class)</h5>
<div class="paragraph"><p>Connectors may either be a simplex channel and perform unidirectional
communications.  Or may be duplex and perform bidirectional communications.
The TcpConnector is duplex while the FileConnector is simplex.</p></div>
<div class="paragraph"><p>All subtypes of Connector have a <em>direction</em> configuration element and a
<em>connector</em> element.  The <em>connector</em> string is the key used to identify the
element for sidechannel configuration.  The <em>direction</em> element may have a
default value, for instance TcpConnector&#8217;s are <em>duplex</em>.</p></div>
<div class="paragraph"><p>There are currently two implementations of Connectors:</p></div>
<div class="ulist"><ul>
<li>
<p>
TcpConnector - Exchange messages over a tcp channel.
</p>
</li>
<li>
<p>
FileConnector - Write messages to files and read messages from files.
</p>
</li>
</ul></div>
</div>
<div class="sect4">
<h5 id="_tcpconnector">TcpConnector</h5>
<div class="paragraph"><p>TcpConnector is a subclass of Connector and implements a DUPLEX type Connector,
able to send and receive messages over a tcp session.</p></div>
<div class="paragraph"><p>TcpConnector adds a few session setup configuration elements:</p></div>
<div class="ulist"><ul>
<li>
<p>
setup = <em>call</em> or <em>answer</em> - <em>call</em> is used to have TcpConnector initiate
        the connection.  <em>answer</em> is used to have TcpConnector accept incoming
        connections.
</p>
</li>
<li>
<p>
address = <em>&lt;addr&gt;</em> - used for <em>call</em> setup to specify the partner
</p>
</li>
<li>
<p>
base_port = port - used to contruct the actual port number for <em>call</em> and
        <em>answer</em> modes.  Actual port used is (base_port + instance_id).
</p>
</li>
</ul></div>
<div class="paragraph"><p>An example segment of TcpConnector configuration:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>tcp_connector =
{
    {
        connector = 'tcp_1',
        address = '127.0.0.1',
        setup = 'call',
        base_port = 11000
    },
}</code></pre>
</div></div>
</div>
<div class="sect4">
<h5 id="_fileconnector">FileConnector</h5>
<div class="paragraph"><p>FileConnector implements a Connector that can either read from files or write
to files.  FileConnector&#8217;s are simplex and must be configured to be
CONN_TRANSMIT or CONN_RECEIVE.</p></div>
<div class="paragraph"><p>FileConnector configuration adds two additional element:</p></div>
<div class="ulist"><ul>
<li>
<p>
name = string - used as part of the message file name
</p>
</li>
<li>
<p>
format = <em>text</em> or <em>binary</em> - FileConnector supports two file types
</p>
</li>
</ul></div>
<div class="paragraph"><p>The configured <em>name</em> string is used to construct the actual names as in:</p></div>
<div class="ulist"><ul>
<li>
<p>
file_connector_NAME_transmit and file_connector_NAME_receive
</p>
</li>
</ul></div>
<div class="paragraph"><p>All messages for one Snort invocation are read and written to one file.</p></div>
<div class="paragraph"><p>In the case of a receive FileConnector, all messages are read from the file
prior to the start of packet processing.  This allows the messages to
establish state information for all processed packets.</p></div>
<div class="paragraph"><p>Connectors are used solely by SideChannel</p></div>
<div class="paragraph"><p>An example segment of FileConnector configuration:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>file_connector =
{
    {
        connector = 'file_tx_1',
        direction = 'transmit',
        format = 'text',
        name = 'HA'
    },
    {
        connector = 'file_rx_1',
        direction = 'receive',
        format = 'text',
        name = 'HA'
    },
}</code></pre>
</div></div>
</div>
</div>
<div class="sect3">
<h4 id="_side_channel">Side Channel</h4>
<div class="paragraph"><p>SideChannel is a Snort module that uses Connectors to implement a messaging
infrastructure that is used to communicate between Snort threads and the
outside world.</p></div>
<div class="paragraph"><p>SideChannel adds functionality onto the Connector as:</p></div>
<div class="ulist"><ul>
<li>
<p>
message multiplexing/demultiplexing - An additional protocol layer is
    added to the messages.  This port number is used to direct message to/from
    various SideClass instancs.
</p>
</li>
<li>
<p>
application receive processing - handler for received messages on a
    specific port.
</p>
</li>
</ul></div>
<div class="paragraph"><p>SideChannel&#8217;s are always implement a duplex (bidirectional) messaging model
and can map to separate transmit and receive Connectors.</p></div>
<div class="paragraph"><p>The message handling model leverages the underlying Connector handling.  So
please refer to the Connector documentation.</p></div>
<div class="paragraph"><p>SideChannel&#8217;s are instantiated by various applications.  The SideChannel port
numbers are the configuration element used to map SideChannel&#8217;s to
applications.</p></div>
<div class="paragraph"><p>The SideChannel configuration mostly serves to map a port number to a Connector
or set of connectors.  Each port mapping can have at most one transmit plus
one receive connector or one duplex connector.  Multiple SideChannel&#8217;s
may be configured and instantiated to support multiple applications.</p></div>
<div class="paragraph"><p>An example SideChannel configuration along with the corresponding Connector
configuration:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>side_channel =
{
    {
        ports = '1',
        connectors =
        {
            {
                connector = 'file_rx_1',
            },
            {
                connector = 'file_tx_1',
            }
        },
    },
}</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>file_connector =
{
    {
        connector = 'file_tx_1',
        direction = 'transmit',
        format = 'text',
        name = 'HA'
    },
    {
        connector = 'file_rx_1',
        direction = 'receive',
        format = 'text',
        name = 'HA'
    },
}</code></pre>
</div></div>
</div>
</div>
<div class="sect2">
<h3 id="_ftp">FTP</h3>
<div class="paragraph"><p>Given an FTP command channel buffer, FTP will interpret the data,
identifying FTP commands and parameters, as well as FTP response codes
and messages.  It will enforce correctness of the parameters, determine
when an FTP command connection is encrypted, and determine when an FTP
data channel is opened.</p></div>
<div class="sect3">
<h4 id="_configuring_the_inspector_to_block_exploits_and_attacks">Configuring the inspector to block exploits and attacks</h4>
<div class="sect4">
<h5 id="_ftp_server_configuration">ftp_server configuration</h5>
<div class="ulist"><ul>
<li>
<p>
ftp_cmds
</p>
</li>
</ul></div>
<div class="paragraph"><p>This specifies additional FTP commands outside of those checked by
default within the inspector.  The inspector may be configured
to generate an alert when it sees a command it does not recognize.</p></div>
<div class="paragraph"><p>Aside from the default commands recognized, it may be necessary to
allow the use of the "X" commands, specified in RFC 775.  To do so, use
the following ftp_cmds option.  Since these are rarely used by FTP
client implementations, they are not included in the defaults.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>ftp_cmds = [[ XPWD XCWD XCUP XMKD XRMD ]]</code></pre>
</div></div>
<div class="ulist"><ul>
<li>
<p>
def_max_param_len
</p>
</li>
</ul></div>
<div class="paragraph"><p>This specifies the default maximum parameter length for all commands
in bytes.  If the parameter for an FTP command exceeds that length,
and the inspector is configured to do so, an alert will be generated.
This is used to check for buffer overflow exploits within FTP servers.</p></div>
<div class="ulist"><ul>
<li>
<p>
cmd_validity
</p>
</li>
</ul></div>
<div class="paragraph"><p>This specifies the valid format and length for parameters of a given command.</p></div>
<div class="ulist"><ul>
<li>
<p>
cmd_validity[].len
</p>
</li>
</ul></div>
<div class="paragraph"><p>This specifies the maximum parameter length for the specified command
in bytes, overriding the default.  If the parameter for that FTP command
exceeds that length, and the inspector is configured to do so, an
alert will be generated.  It can be used to restrict specific commands to
small parameter values.  For example the USER command&#8201;&#8212;&#8201;usernames may
be no longer than 16 bytes, so the appropriate configuration would be:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>cmd_validity =
{
    {
        command = 'USER',
        length = 16,
    }
}</code></pre>
</div></div>
<div class="ulist"><ul>
<li>
<p>
cmd_validity[].format
</p>
</li>
</ul></div>
<div class="paragraph"><p>format is as follows:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>int                 Param must be an integer
number              Param must be an integer between 1 and 255
char &lt;chars&gt;        Param must be a single char, and one of &lt;chars&gt;
date &lt;datefmt&gt;      Param follows format specified where
                    # = Number, C=Char, []=optional, |=OR, {}=choice,
                    anything else=literal (i.e., .+- )
string              Param is string (effectively unrestricted)
host_port           Param must a host port specifier, per RFC 959.
long_host_port      Parameter must be a long host port specified, per RFC 1639
extended_host_port  Parameter must be an extended host port specified, per RFC 2428</code></pre>
</div></div>
<div class="paragraph"><p>Examples of the cmd_validity option are shown below.  These examples
are the default checks (per RFC 959 and others) performed by the
inspector.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>cmd_validity =
{
    {
        command = 'CWD',
        length = 200,
    },
    {
        command = 'MODE',
        format = '&lt; char SBC &gt;',
    },
    {
        command = 'STRU',
        format = '&lt; char FRP &gt;',
    },
    {
        command = 'ALLO',
        format = '&lt; int [ char R int ] &gt;',
    },
    {
        command = 'TYPE',
        format = [[ &lt; { char AE [ char NTC ] | char I | char L [ number ]
            } &gt; ]],
    },
    {
        command = 'PORT',
        format = '&lt; host_port &gt;',
    },
}</code></pre>
</div></div>
<div class="paragraph"><p>A cmd_validity entry in the configuration can be used to override these
defaults and/or add a check for other commands.  A few examples follow.</p></div>
<div class="paragraph"><p>This allows additional modes, including mode Z which allows for
zip-style compression:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>cmd_validity =
{
    {
        command = 'MODE',
        format = '&lt; char ASBCZ &gt;',
    },
}</code></pre>
</div></div>
<div class="paragraph"><p>Allow for a date in the MDTM command:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>cmd_validity =
{
    {
        command = 'MDTM',
        format = '&lt; [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string &gt;',
    },
}</code></pre>
</div></div>
<div class="paragraph"><p>MDTM is an odd case that is worth discussing&#8230;</p></div>
<div class="paragraph"><p>While not part of an established standard, certain FTP servers accept
MDTM commands that set the modification time on a file.  The most common
among servers that do, accept a format using YYYYMMDDHHmmss[.uuu].  Some
others accept a format using YYYYMMDDHHmmss[+|-]TZ format.  The example
above is for the first case.</p></div>
<div class="paragraph"><p>To check validity for a server that uses the TZ format, use the following:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>cmd_validity =
{
    {
        command = 'MDTM',
        format = '&lt; [ date nnnnnnnnnnnnnn[{+|-}n[n]] ] string &gt;',
    },
}</code></pre>
</div></div>
<div class="ulist"><ul>
<li>
<p>
chk_str_fmt
</p>
</li>
</ul></div>
<div class="paragraph"><p>This causes the inspector to check for string format attacks on
the specified commands.</p></div>
<div class="ulist"><ul>
<li>
<p>
telnet_cmds
</p>
</li>
</ul></div>
<div class="paragraph"><p>Detect and alert when telnet cmds are seen on the FTP command channel.</p></div>
<div class="ulist"><ul>
<li>
<p>
ignore_telnet_erase_cmds
</p>
</li>
</ul></div>
<div class="paragraph"><p>This option allows Snort to ignore telnet escape sequences for erase character
(TNC EAC) and erase line (TNC EAL) when normalizing FTP command channel.  Some
FTP servers do not process those telnet escape sequences.</p></div>
<div class="ulist"><ul>
<li>
<p>
ignore_data_chan
</p>
</li>
</ul></div>
<div class="paragraph"><p>When set to true, causes the FTP inspector to force the rest of snort
to ignore the FTP data channel connections. NO INSPECTION other than state
(inspector AND rules) will be performed on that data channel. It can
be turned on to improve performance&#8201;&#8212;&#8201;especially with respect to large
file transfers from a trusted source&#8201;&#8212;&#8201;by ignoring traffic. If your rule
set includes virus-type rules, it is recommended that this option not be used.</p></div>
</div>
<div class="sect4">
<h5 id="_ftp_client_configuration">ftp_client configuration</h5>
<div class="ulist"><ul>
<li>
<p>
max_resp_len
</p>
</li>
</ul></div>
<div class="paragraph"><p>This specifies the maximum length for all response messages in bytes.
If the message for an FTP response (everything after the 3 digit code)
exceeds that length, and the inspector is configured to do so, an
alert will be generated.  This is used to check for buffer overflow
exploits within FTP clients.</p></div>
<div class="ulist"><ul>
<li>
<p>
telnet_cmds
</p>
</li>
</ul></div>
<div class="paragraph"><p>Detect and alert when telnet cmds are seen on the FTP command channel.</p></div>
<div class="ulist"><ul>
<li>
<p>
ignore_telnet_erase_cmds
</p>
</li>
</ul></div>
<div class="paragraph"><p>This option allows Snort to ignore telnet escape sequences for erase character
(TNC EAC) and erase line (TNC EAL) when normalizing FTP command channel.  Some
FTP clients do not process those telnet escape sequences.</p></div>
</div>
<div class="sect4">
<h5 id="_ftp_data">ftp_data</h5>
<div class="paragraph"><p>In order to enable file inspection for ftp, the following should be added to the
configuration:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>ftp_data = {}</code></pre>
</div></div>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_http_inspector">HTTP Inspector</h3>
<div class="paragraph"><p>One of the major undertakings for Snort 3 is developing a completely new
HTTP inspector.</p></div>
<div class="sect3">
<h4 id="_overview_5">Overview</h4>
<div class="paragraph"><p>You can configure it by adding:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>http_inspect = {}</code></pre>
</div></div>
<div class="paragraph"><p>to your snort.lua configuration file. Or you can read about it in the
source code under src/service_inspectors/http_inspect.</p></div>
<div class="paragraph"><p>So why a new HTTP inspector?</p></div>
<div class="paragraph"><p>For starters it is object-oriented. That’s good for us because we maintain
this software. But it should also be really nice for open-source
developers. You can make meaningful changes and additions to HTTP
processing without having to understand the whole thing. In fact much of
the new HTTP inspector’s knowledge of HTTP is centralized in a series of
tables where it can be easily reviewed and modified. Many significant
changes can be made just by updating these tables.</p></div>
<div class="paragraph"><p>http_inspect is the first inspector written specifically for the new
Snort 3 architecture. This provides access to one of the very best features
of Snort 3: purely PDU-based inspection. The classic preprocessor processes
HTTP messages, but even while doing so it is constantly aware of IP packets
and how they divide up the TCP data stream. The same HTTP message might be
processed differently depending on how the sender (bad guy) divided it up
into IP packets.</p></div>
<div class="paragraph"><p>http_inspect is free of this burden and can focus exclusively on HTTP.
This makes it much simpler, easier to test, and less prone to false
positives. It also greatly reduces the opportunity for adversaries to probe
the inspector for weak spots by adjusting packet boundaries to disguise bad
behavior.</p></div>
<div class="paragraph"><p>Dealing solely with HTTP messages also opens the door for developing major
new features. The http_inspect design supports true stateful processing.
Want to ask questions that involve both the client request and the server
response? Or different requests in the same session? These things are
possible.</p></div>
<div class="paragraph"><p>Another new feature on the horizon is HTTP/2 analysis. HTTP/2 derives from
Google’s SPDY project and is in the process of being standardized. Despite
the name, it is better to think of HTTP/2 not as a newer version of
HTTP/1.1, but rather a separate protocol layer that runs under HTTP/1.1 and
on top of TLS or TCP. It’s a perfect fit for the new Snort 3 architecture
because a new HTTP/2 inspector would naturally output HTTP/1.1 messages but
not any underlying packets. Exactly what http_inspect wants to input.</p></div>
<div class="paragraph"><p>http_inspect is taking a very different approach to HTTP header fields. The
classic preprocessor divides all the HTTP headers following the start line
into cookies and everything else. It normalizes the two pieces using a
generic process and puts them in buffers that one can write rules against.
There is some limited support for examining individual headers within the
inspector but it is very specific.</p></div>
<div class="paragraph"><p>The new concept is that every header should be normalized in an appropriate
and specific way and individually made available for the user to write
rules against it. If for example a header is supposed to be a date then
normalization means put that date in a standard format.</p></div>
</div>
<div class="sect3">
<h4 id="_configuration_4">Configuration</h4>
<div class="paragraph"><p>Configuration can be as simple as adding:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>http_inspect = {}</code></pre>
</div></div>
<div class="paragraph"><p>to your snort.lua file. The default configuration provides a thorough
inspection and may be all that you need. But there are some options that
provide extra features, tweak how things are done, or conserve resources by
doing less.</p></div>
<div class="sect4">
<h5 id="_request_depth_and_response_depth">request_depth and response_depth</h5>
<div class="paragraph"><p>These replace the flow depth parameters used by the old HTTP inspector but
they work differently.</p></div>
<div class="paragraph"><p>The default is to inspect the entire HTTP message body. That&#8217;s a very sound
approach but if your HTTP traffic includes many very large files such as
videos the load on Snort can become burdensome. Setting the request_depth
and response_depth parameters will limit the amount of body data that is
sent to the rule engine. For example:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>request_depth = 10000,
response_depth = 80000,</code></pre>
</div></div>
<div class="paragraph"><p>would examine only the first 10000 bytes of POST, PUT, and other message
bodies sent by the client. Responses from the server would be limited to
80000 bytes.</p></div>
<div class="paragraph"><p>These limits apply only to the message bodies. HTTP headers are always
completely inspected.</p></div>
<div class="paragraph"><p>If you want to only inspect headers and no body, set the depth to 0. If
you want to inspect the entire body set the depth to -1 or simply omit the
depth parameter entirely because that is the default.</p></div>
<div class="paragraph"><p>These limits have no effect on how much data is forwarded to file
processing.</p></div>
</div>
<div class="sect4">
<h5 id="_accelerated_blocking">accelerated_blocking</h5>
<div class="paragraph"><p>Accelerated blocking is an experimental feature currently under
development. It enables Snort to more quickly detect and block response
messages containing malicious JavaScript. As this feature involves
actively blocking traffic it is designed for use with inline mode
operation (-Q).</p></div>
<div class="paragraph"><p>This feature only functions with response_depth = -1 (unlimited). This
limitation will be removed in a future version.</p></div>
<div class="paragraph"><p>This feature is off by default. accelerated_blocking = true will activate
it.</p></div>
</div>
<div class="sect4">
<h5 id="_gzip">gzip</h5>
<div class="paragraph"><p>http_inspect by default decompresses deflate and gzip message bodies
before inspecting them. This feature can be turned off by unzip = false.
Turning off decompression provides a substantial performance improvement
but at a very high price. It is unlikely that any meaningful inspection of
message bodies will be possible. Effectively HTTP processing would be
limited to the headers.</p></div>
</div>
<div class="sect4">
<h5 id="_normalize_utf">normalize_utf</h5>
<div class="paragraph"><p>http_inspect will decode utf-8, utf-7, utf-16le, utf-16be, utf-32le, and
utf-32be in response message bodies based on the Content-Type header. This
feature is on by default: normalize_utf = false will deactivate it.</p></div>
</div>
<div class="sect4">
<h5 id="_decompress_pdf">decompress_pdf</h5>
<div class="paragraph"><p>decompress_pdf = true will enable decompression of compressed portions of
PDF files encountered in a response body. http_inspect will examine the
response body for PDF files that are then parsed to locate PDF streams with
a single /FlateDecode filter. The compressed content is decompressed and
made available through the file data rule option.</p></div>
</div>
<div class="sect4">
<h5 id="_decompress_swf">decompress_swf</h5>
<div class="paragraph"><p>decompress_swf = true will enable decompression of compressed SWF (Adobe
Flash content) files encountered in a response body. The available
decompression modes are ’deflate’ and ’lzma’. http_inspect will search for
the file signatures CWS for Deflate/ZLIB and ZWS for LZMA. The compressed
content is decompressed and made available through the file data rule
option. The compressed SWF file signature is converted to FWS to indicate
an uncompressed file.</p></div>
</div>
<div class="sect4">
<h5 id="_normalize_javascript">normalize_javascript</h5>
<div class="paragraph"><p>normalize_javascript = true will enable normalization of JavaScript within
the HTTP response body. http_inspect looks for JavaScript by searching for
the &lt;script&gt; tag without a type. Obfuscated data within the JavaScript
functions such as unescape, String.fromCharCode, decodeURI, and
decodeURIComponent are normalized. The different encodings handled within
the unescape, decodeURI, or decodeURIComponent are %XX, %uXXXX, XX and
uXXXXi. http_inspect also replaces consecutive whitespaces with a single
space and normalizes the plus by concatenating the strings.</p></div>
</div>
<div class="sect4">
<h5 id="_uri_processing">URI processing</h5>
<div class="paragraph"><p>Normalization and inspection of the URI in the HTTP request message is a
key aspect of what http_inspect does. The best way to normalize a URI is
very dependent on the idiosyncrasies of the HTTP server being accessed.
The goal is to interpret the URI the same way as the server will so that
nothing the server will see can be hidden from the rule engine.</p></div>
<div class="paragraph"><p>The default URI inspection parameters are oriented toward following the
HTTP RFCs&#8212;reading the URI the way the standards say it should be read.
Most servers deviate from this ideal in various ways that can be exploited
by an attacker. The options provide tools for the user to cope with that.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>utf8 = true
plus_to_space = true
percent_u = false
utf8_bare_byte = false
iis_unicode = false
iis_double_decode = false</code></pre>
</div></div>
<div class="paragraph"><p>The HTTP inspector normalizes percent encodings found in URIs. For instance
it will convert "%48%69%64%64%65%6e" to "Hidden". All the options listed
above control how this is done. The options listed as true are fairly
standard features that are decoded by default. You don&#8217;t need to list them
in snort.lua unless you want to turn them off by setting them to false. But
that is not recommended unless you know what you are doing and have a
definite reason.</p></div>
<div class="paragraph"><p>The other options are primarily for the protection of servers that support
irregular forms of decoding. These features are off by default but you can
activate them if you need to by setting them to true in snort.lua.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>bad_characters = "0x25 0x7e 0x6b 0x80 0x81 0x82 0x83 0x84"</code></pre>
</div></div>
<div class="paragraph"><p>That&#8217;s a list of 8-bit Ascii characters that you don&#8217;t want present in any
normalized URI after the percent decoding is done. For example 0x25 is a
hexadecimal number (37 in decimal) which stands for the <em>%</em> character. The
% character is legitimately used for encoding special characters in a URI.
But if there is still a percent after normalization one might conclude that
something is wrong. If you choose to configure 0x25 as a bad character
there will be an alert whenever this happens.</p></div>
<div class="paragraph"><p>Another example is 0x00 which signifies the null character zero. Null
characters in a URI are generally wrong and very suspicious.</p></div>
<div class="paragraph"><p>The default is not to alert on any of the 256 8-bit Ascii characters. Add
this option to your configuration if you want to define some bad
characters.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>ignore_unreserved = "abc123"</code></pre>
</div></div>
<div class="paragraph"><p>Percent encoding common characters such as letters and numbers that have no
special meaning in HTTP is suspicious. It&#8217;s legal but why would you do it
unless you have something to hide? http_inspect will alert whenever an
upper-case or lower-case letter, a digit, period, underscore, tilde, or
minus is percent-encoded. But if a legitimate application in your
environment encodes some of these characters for some reason this allows
you to create exemptions for those characters.</p></div>
<div class="paragraph"><p>In the example, the lower-case letters a, b, and c and the digits 1, 2, and
3 are exempted. These may be percent-encoded without generating an alert.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>simplify_path = true
backslash_to_slash = false</code></pre>
</div></div>
<div class="paragraph"><p>HTTP inspector simplifies directory paths in URIs by eliminating extra
traversals using ., .., and /.</p></div>
<div class="paragraph"><p>For example I can take a simple URI such as</p></div>
<div class="literalblock">
<div class="content">
<pre><code>/very/easy/example</code></pre>
</div></div>
<div class="paragraph"><p>and complicate it like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>/very/../very/././././easy//////detour/to/nowhere/../.././../example</code></pre>
</div></div>
<div class="paragraph"><p>which may be very difficult to match with a detection rule. simplify_path
is on by default and you should not turn it off unless you have no interest
in URI paths.</p></div>
<div class="paragraph"><p>backslash_to_slash is a tweak to path simplification for servers that allow
directories to be separated by backslashes:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>/this/is/the/normal/way/to/write/a/path</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>\this\is\the\other\way\to\write\a\path</code></pre>
</div></div>
<div class="paragraph"><p>backslash_to_slash is turned off by default. If you are protecting such a
server then set backslash_to_slash = true and all the backslashes will be
replaced with slashes during normalization.</p></div>
</div>
</div>
<div class="sect3">
<h4 id="_detection_rules">Detection rules</h4>
<div class="paragraph"><p>http_inspect parses HTTP messages into their components and makes them
available to the detection engine through rule options. Let&#8217;s start with an
example:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp any any -&gt; any any ( msg:"URI example"; flow:established,
to_server; http_uri; content:"chocolate"; sid:1; rev:1; )</code></pre>
</div></div>
<div class="paragraph"><p>This rule looks for chocolate in the URI portion of the request message.
Specifically, the http_uri rule option is the normalized URI with all the
percent encodings removed. It will find chocolate in both:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>GET /chocolate/cake HTTP/1.1</code></pre>
</div></div>
<div class="paragraph"><p>and</p></div>
<div class="literalblock">
<div class="content">
<pre><code>GET /%63%68$6F%63%6F%6C%61%74%65/%63%61%6B%65 HTTP/1.1</code></pre>
</div></div>
<div class="paragraph"><p>It is also possible to search the unnormalized URI</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp any any -&gt; any any ( msg:"Raw URI example"; flow:established,
to_server; http_raw_uri; content:"chocolate"; sid:2; rev:1; )</code></pre>
</div></div>
<div class="paragraph"><p>will match the first message but not the second. If you want to detect
someone who is trying to hide his request for chocolate then</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp any any -&gt; any any ( msg:"Raw URI example"; flow:established,
to_server; http_raw_uri; content:"%63%68$6F%63%6F%6C%61%74%65";
sid:3; rev:1; )</code></pre>
</div></div>
<div class="paragraph"><p>will do the trick.</p></div>
<div class="paragraph"><p>Let&#8217;s look at possible ways of writing a rule to match HTTP response
messages with the Content-Language header set to "da" (Danish). You could
write:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp any any -&gt; any any ( msg:"whole header search";
flow:established, to_client; http_header; content:
"Content-Language: da", nocase; sid:4; rev:1; )</code></pre>
</div></div>
<div class="paragraph"><p>This rule leaves much to be desired. Modern headers are often thousands of
bytes and seem to get longer every year. Searching all of the headers
consumes a lot of resources. Furthermore this rule is easily evaded:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>HTTP/1.1 ... Content-Language:  da ...</code></pre>
</div></div>
<div class="paragraph"><p>the extra space before the "da" throws the rule off. Or how about:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>HTTP/1.1 ... Content-Language: xx,da ...</code></pre>
</div></div>
<div class="paragraph"><p>By adding a made up second language the attacker has once again thwarted
the match.</p></div>
<div class="paragraph"><p>A better way to write this rule is:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp any any -&gt; any any ( msg:"individual header search";
flow:established, to_client; http_header: field content-language;
content:"da", nocase; sid:4; rev:2; )</code></pre>
</div></div>
<div class="paragraph"><p>The field option improves performance by narrowing the search to the
Content-Language field of the header. Because it uses the header parsing
abilities of http_inspect to find the field of interest it will not be
thrown off by extra spaces or other languages in the list.</p></div>
<div class="paragraph"><p>In addition to the headers there are rule options for virtually every part
of the HTTP message.</p></div>
<div class="sect4">
<h5 id="_http_uri_and_http_raw_uri">http_uri and http_raw_uri</h5>
<div class="paragraph"><p>These provide the URI of the request message. The raw form is exactly as it
appeared in the message and the normalized form is determined by the URI
normalization options you selected. In addition to searching the entire URI
there are six components that can be searched individually:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp any any -&gt; any any ( msg:"URI path"; flow:established,
to_server; http_uri: path; content:"chocolate"; sid:1; rev:2; )</code></pre>
</div></div>
<div class="paragraph"><p>By specifying "path" the search is limited to the path portion of the URI.
Informally this is the part consisting of the directory path and file name.
Thus it will match:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>GET /chocolate/cake HTTP/1.1</code></pre>
</div></div>
<div class="paragraph"><p>but not:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>GET /book/recipes?chocolate+cake HTTP/1.1</code></pre>
</div></div>
<div class="paragraph"><p>The question mark ends the path and begins the query portion of the URI.
Informally the query is where parameter values are set and often contains a
search to be performed.</p></div>
<div class="paragraph"><p>The six components are:</p></div>
<div class="olist arabic"><ol class="arabic">
<li>
<p>
path: directory and file
</p>
</li>
<li>
<p>
query: user parameters
</p>
</li>
<li>
<p>
fragment: part of the file requested, normally found only inside a
   browser and not transmitted over the network
</p>
</li>
<li>
<p>
host: domain name of the server being addressed
</p>
</li>
<li>
<p>
port: TCP port number being addressed
</p>
</li>
<li>
<p>
scheme: normally "http" or "https" but others are possible such as "ftp"
</p>
</li>
</ol></div>
<div class="paragraph"><p>Here is an example with all six:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>GET https://www.samplehost.com:287/basic/example/of/path?with-query
#and-fragment HTTP/1.1\r\n</code></pre>
</div></div>
<div class="paragraph"><p>The URI is everything between the first space and the last space. "https"
is the scheme, "www.samplehost.com" is the host, "287" is the port,
"/basic/example/of/path" is the path, "with-query" is the query, and
"and-fragment" is the fragment.</p></div>
<div class="paragraph"><p>Note: this section uses informal language to explain some things. Nothing
here is intended to conflict with the technical language of the HTTP RFCs
and the implementation follows the RFCs.</p></div>
</div>
<div class="sect4">
<h5 id="_http_header_and_http_raw_header">http_header and http_raw_header</h5>
<div class="paragraph"><p>These cover all the header lines except the first one. You may specify an
individual header by name using the field option as shown in this earlier
example:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp any any -&gt; any any ( msg:"individual header search";
flow:established, to_client; http_header: field content-language;
content:"da", nocase; sid:4; rev:2; )</code></pre>
</div></div>
<div class="paragraph"><p>This rule searches the value of the Content-Language header. Header names
are not case sensitive and may be written in the rule in any mixture of
upper and lower case.</p></div>
<div class="paragraph"><p>With http_header the individual header value is normalized in a way that is
appropriate for that header.</p></div>
<div class="paragraph"><p>Specifying an individual header is not available for http_raw_header.</p></div>
<div class="paragraph"><p>If you don&#8217;t specify a header you get all of the headers except for the
cookie headers Cookie and Set-Cookie. http_raw_header includes the
unmodified header names and values as they appeared in the original
message. http_header is the same except percent encodings are removed and
paths are simplified exactly as if the headers were a URI.</p></div>
<div class="paragraph"><p>In most cases specifying individual headers creates a more efficient and
accurate rule. It is recommended that new rules be written using individual
headers whenever possible.</p></div>
</div>
<div class="sect4">
<h5 id="_http_trailer_and_http_raw_trailer">http_trailer and http_raw_trailer</h5>
<div class="paragraph"><p>HTTP permits header lines to appear after a chunked body ends. Typically
they contain information about the message content that was not available
when the headers were created. For convenience we call them trailers.</p></div>
<div class="paragraph"><p>http_trailer and http_raw_trailer are identical to their header
counterparts except they apply to these end headers. If you want a rule to
inspect both kinds of headers you need to write two rules, one using header
and one using trailer.</p></div>
</div>
<div class="sect4">
<h5 id="_http_cookie_and_http_raw_cookie">http_cookie and http_raw_cookie</h5>
<div class="paragraph"><p>These provide the value of the Cookie header for a request message and the
Set-Cookie for a response message. If multiple cookies are present they
will be concatenated into a comma-separated list.</p></div>
<div class="paragraph"><p>Normalization for http_cookie is the same URI-style normalization applied
to http_header when no specific header is specified.</p></div>
</div>
<div class="sect4">
<h5 id="_http_true_ip">http_true_ip</h5>
<div class="paragraph"><p>This provides the original IP address of the client sending the request as
it was stored by a proxy in the request message headers. Specifically it
is the last IP address listed in the X-Forwarded-For or True-Client-IP
header. If both headers are present the former is used.</p></div>
</div>
<div class="sect4">
<h5 id="_http_client_body">http_client_body</h5>
<div class="paragraph"><p>This is the body of a request message such as POST or PUT. Normalization
for http_client_body is the same URI-like normalization applied to
http_header when no specific header is specified.</p></div>
</div>
<div class="sect4">
<h5 id="_http_raw_body">http_raw_body</h5>
<div class="paragraph"><p>This is the body of a request or response message. It will be dechunked
and unzipped if applicable but will not be normalized in any other way.
The difference between http_raw_body and packet data is a rule that uses
packet data will search and may match an HTTP header, but http_raw_body
is limited to the message body. Thus the latter is more efficient and
more accurate for most uses.</p></div>
</div>
<div class="sect4">
<h5 id="_http_method">http_method</h5>
<div class="paragraph"><p>The method field of a request message. Common values are "GET", "POST",
"OPTIONS", "HEAD", "DELETE", "PUT", "TRACE", and "CONNECT".</p></div>
</div>
<div class="sect4">
<h5 id="_http_stat_code">http_stat_code</h5>
<div class="paragraph"><p>The status code field of a response message. This is normally a 3-digit
number between 100 and 599. In this example it is 200.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>HTTP/1.1 200 OK</code></pre>
</div></div>
</div>
<div class="sect4">
<h5 id="_http_stat_msg">http_stat_msg</h5>
<div class="paragraph"><p>The reason phrase field of a response message. This is the human-readable
text following the status code. "OK" in the previous example.</p></div>
</div>
<div class="sect4">
<h5 id="_http_version">http_version</h5>
<div class="paragraph"><p>The protocol version information that appears on the first line of an HTTP
message. This is usually "HTTP/1.0" or "HTTP/1.1".</p></div>
</div>
<div class="sect4">
<h5 id="_http_raw_request_and_http_raw_status">http_raw_request and http_raw_status</h5>
<div class="paragraph"><p>These are the unmodified first header line of the HTTP request and response
messages respectively. These rule options are a safety valve in case you
need to do something you cannot otherwise do. In most cases it is better to
use a rule option for a specific part of the first header line. For a
request message those are http_method, http_raw_uri, and http_version. For
a response message those are http_version, http_stat_code, and
http_stat_msg.</p></div>
</div>
<div class="sect4">
<h5 id="_file_data_and_packet_data">file_data and packet data</h5>
<div class="paragraph"><p>file_data contains the normalized message body. This is the normalization
described above under gzip, normalize_utf, decompress_pdf, decompress_swf,
and normalize_javascript.</p></div>
<div class="paragraph"><p>The unnormalized message content is available in the packet data. If gzip
is configured the packet data will be unzipped.</p></div>
</div>
</div>
<div class="sect3">
<h4 id="_timing_issues_and_combining_rule_options">Timing issues and combining rule options</h4>
<div class="paragraph"><p>HTTP inspector is stateful. That means it is aware of a bigger picture than
the packet in front of it. It knows what all the pieces of a message are,
the dividing lines between one message and the next, which request message
triggered which response message, pipelines, and how many messages have
been sent over the current connection.</p></div>
<div class="paragraph"><p>Some rules use a single rule option:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp any any -&gt; any any ( msg:"URI example"; flow:established,
to_server; http_uri; content:"chocolate"; sid:1; rev:1; )</code></pre>
</div></div>
<div class="paragraph"><p>Whenever a new URI is available this rule will be evaluated. Nothing
complicated about that, but suppose we use more than one rule option:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp any any -&gt; any any ( msg:"combined example"; flow:established,
to_server; http_uri: with_body; content:"chocolate"; file_data;
content:"sinister POST data"; sid:5; rev:1; )</code></pre>
</div></div>
<div class="paragraph"><p>The with_body option to http_uri causes the URI to be made available with
the message body. Use with_body for header-related rule options in rules
that also examine the message body.</p></div>
<div class="paragraph"><p>The with_trailer option is analogous and causes an earlier message element
to be made available at the end of the message when the trailers following
a chunked body arrive.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp any any -&gt; any any ( msg:"double content-language";
flow:established, to_client; http_header: with_trailer, field
content-language; content:"da", nocase; http_trailer: field
content-language; content:"en", nocase; sid:6; rev:1; )</code></pre>
</div></div>
<div class="paragraph"><p>This rule will alert if the Content-Language changes from Danish in the
headers to English in the trailers. The with_trailer option is essential to
make this rule work.</p></div>
<div class="paragraph"><p>It is also possible to write rules that examine both the client request and
the server response to it.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp any any -&gt; any any ( msg:"request and response example";
flow:established, to_client; http_uri: with_body; content:"chocolate";
file_data; content:"white chocolate"; sid:7; rev:1; )</code></pre>
</div></div>
<div class="paragraph"><p>This rule looks for white chocolate in a response message body where the
URI of the request contained chocolate. Note that this is a "to_client"
rule that will alert on and potentially block a server response containing
white chocolate, but only if the client URI requested chocolate. If the
rule were rewritten "to_server" it would be nonsense and not work. Snort
cannot block a client request based on what the server response will be
because that has not happened yet.</p></div>
<div class="paragraph"><p>Another point is "with_body" for http_uri. This ensures the rule works on
the entire response body. If we were looking for white chocolate in the
response headers this would not be necessary.</p></div>
<div class="paragraph"><p>Response messages do not have a URI so there was only one thing http_uri
could have meant in the previous rule. It had to be referring to the
request message. Sometimes that is not so clear.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp any any -&gt; any any ( msg:"header ambiguity example 1";
flow:established, to_client; http_header: with_body; content:
"chocolate"; file_data; content:"white chocolate"; sid:8; rev:1; )</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp any any -&gt; any any ( msg:"header ambiguity example 2";
flow:established, to_client; http_header: with_body, request; content:
"chocolate"; file_data; content:"white chocolate"; sid:8; rev:2; )</code></pre>
</div></div>
<div class="paragraph"><p>Our search for chocolate has moved from the URI to the message headers.
Both the request and response messages have headers&#8212;which one are we
asking about? Ambiguity is always resolved in favor of looking in the
current message which is the response. The first rule is looking for a
server response containing chocolate in the headers and white chocolate in
the body.</p></div>
<div class="paragraph"><p>The second rule uses the "request" option to explicitly say that the
http_header to be searched is the request header.</p></div>
<div class="paragraph"><p>Let&#8217;s put all of this together. There are six opportunities to do
detection:</p></div>
<div class="olist arabic"><ol class="arabic">
<li>
<p>
When the the request headers arrive. The request line and all of the
headers go through detection at the same time.
</p>
</li>
<li>
<p>
When sections of the request message body arrive. If you want to combine
this with something from the request line or headers you must use the
with_body option.
</p>
</li>
<li>
<p>
When the request trailers arrive. If you want to combine this with
something from the request line or headers you must use the with_trailer
option.
</p>
</li>
<li>
<p>
When the response headers arrive. The status line and all of the headers
go through detection at the same time. These may be combined with elements
from the request line, request headers, or request trailers. Where
ambiguity arises use the request option.
</p>
</li>
<li>
<p>
When sections of the response message body arrive. These may be combined
with the status line, response headers, request line, request headers, or
request trailers as described above.
</p>
</li>
<li>
<p>
When the response trailers arrive. Again these may be combined as
described above.
</p>
</li>
</ol></div>
<div class="paragraph"><p>Message body sections can only go through detection at the time they are
received. Headers may be combined with later items but the body cannot.</p></div>
</div>
</div>
<div class="sect2">
<h3 id="_http_2_inspector">HTTP/2 Inspector</h3>
<div class="paragraph"><p>Snort 3 is developing an inspector for HTTP/2.</p></div>
<div class="paragraph"><p>You can configure it by adding:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>http2_inspect = {}</code></pre>
</div></div>
<div class="paragraph"><p>to your snort.lua configuration file.</p></div>
<div class="paragraph"><p>Everything has a beginning and for http2_inspect this is the beginning of
the beginning. Most of the protocol including HPACK decompression is not
implemented yet.</p></div>
<div class="paragraph"><p>Currently http2_inspect will divide an HTTP/2 connection into individual
frames and make them available for detection. Two new rule options are
available for looking at HTTP/2 frames: http2_frame_header provides the
9-octet frame header and http2_frame_data provides the frame content.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp any any -&gt; any any (msg:"Frame type"; flow:established,
to_client; http2_frame_header; content:"|06|", offset 3, depth 1;
sid:1; rev:1; )</code></pre>
</div></div>
<div class="paragraph"><p>This will match if the Type byte of the frame header is 6 (PING).</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp any any -&gt; any any ( msg:"Content of HTTP/2 frame";
flow:established, to_client; http2_frame_data; content:"peppermint";
sid:2; rev:1; )</code></pre>
</div></div>
<div class="paragraph"><p>This will look for peppermint in the frame data but not the frame header.</p></div>
<div class="paragraph"><p>These can be combined:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp any any -&gt; any any ( msg:"Search in message bodies";
flow:established, to_client;
http2_frame_header; content:"|00|", offset 3, depth 1;
http2_frame_data; content:"MaLwArE"; sid:3; rev:1; )</code></pre>
</div></div>
<div class="paragraph"><p>Frame type 0 is DATA which carries the HTTP message body. This rule will
search for MaLwArE inside an HTTP message body.</p></div>
<div class="paragraph"><p>In the future, http2_inspect will support HPACK header decompression and
be fully integrated with http_inspect to provide full inspection of the
individual HTTP/1.1 streams.</p></div>
</div>
<div class="sect2">
<h3 id="_module_trace">Module Trace</h3>
<div class="paragraph"><p>Snort 3 retired the different flavors of debug macros that used to be set
through environment variable SNORT_DEBUG. It was replaced by a module specific
trace. Trace is turned on by setting the module-specific trace bitmask in
snort.lua. As before, in order to enable it, snort has to be configured and
built with  --enable-debug-msgs.</p></div>
<div class="sect3">
<h4 id="_debugging_rules_using_detection_trace">Debugging rules using detection trace</h4>
<div class="paragraph"><p>Detection engine is responsible for rule evaluation. Turning on the
trace for it can help with debugging new rules.</p></div>
<div class="paragraph"><p>The relevant options for detection are as follow (represented as hex):</p></div>
<div class="literalblock">
<div class="content">
<pre><code>0x2 - follow rule evaluation
0x4 - print evaluated buffer if it changed
0x8 - print evaluated buffer at every step
0x10 - print value of ips rule options vars
0x20 - print information on fast pattern search</code></pre>
</div></div>
<div class="paragraph"><p>Buffer print is useful, but in case the buffer is very big can be too verbose.
Choose between 0x4, 0x8 or no buffer trace accordingly.</p></div>
<div class="paragraph"><p>0x10 is useful when the rule is using ips rule options vars.</p></div>
</div>
<div class="sect3">
<h4 id="_example_rule_evaluation_traces">Example - rule evaluation traces:</h4>
<div class="paragraph"><p>In snort.lua, the following line was added:</p></div>
<div class="paragraph"><p>detection = {trace = 0x20 + 0x10 + 0x2 + 0x4}</p></div>
<div class="paragraph"><p>The pcap has a single packet with payload:
10.AAAAAAAfoobar</p></div>
<div class="paragraph"><p>Evaluated on rules:</p></div>
<div class="literalblock">
<div class="content">
<pre><code># byte_math + oper with byte extract and content
# VAL = 1, byte_math = 0 + 10
alert tcp ( byte_extract: 1, 0, VAL, string, dec;
byte_math:bytes 1,offset VAL,oper +, rvalue 10, result var1, string dec;
content:"foo", offset var1; sid:3)</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>#This rule should not trigger
alert tcp (content:"AAAAA"; byte_jump:2,0,relative;
content:"foo", within 3; sid:2)</code></pre>
</div></div>
<div class="paragraph"><p>The output:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>detection: packet 1 C2S 127.0.0.1:1234 127.0.0.1:5678
detection: Fast pattern search
detection: 1 fp packet[16]</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>snort.raw[16]:
- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
31 30 00 41 41 41 41 41 41 41  66 6F 6F 62 61 72              10.AAAAAAAfoobar
- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
detection: Processing pattern match #1
detection: Fast pattern packet[5] = 'AAAAA' |41 41 41 41 41 | ( )
detection: Starting tree eval
detection: Evaluating option content, cursor name pkt_data, cursor position 0</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>snort.raw[16]:
- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
31 30 00 41 41 41 41 41 41 41  66 6F 6F 62 61 72              10.AAAAAAAfoobar
- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
detection: Rule options variables:
var[0]=0 var[1]=0 var[2]=0
detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 8</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>snort.raw[8]:
- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
41 41 66 6F 6F 62 61 72                                       AAfoobar
- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
detection: no match
detection: Rule options variables:
var[0]=0 var[1]=0 var[2]=0
detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 9</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>snort.raw[7]:
- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
41 66 6F 6F 62 61 72                                          Afoobar
- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
detection: no match
detection: Rule options variables:
var[0]=0 var[1]=0 var[2]=0
detection: Evaluating option byte_jump, cursor name pkt_data, cursor position 10</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>snort.raw[6]:
- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
66 6F 6F 62 61 72                                             foobar
- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
detection: no match
detection: no match
detection: Processing pattern match #2
detection: Fast pattern packet[3] = 'foo' |66 6F 6F | ( )
detection: Starting tree eval
detection: Evaluating option byte_extract, cursor name pkt_data, cursor position 0</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>snort.raw[16]:
- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
31 30 00 41 41 41 41 41 41 41  66 6F 6F 62 61 72              10.AAAAAAAfoobar
- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
detection: Rule options variables:
var[0]=1 var[1]=0 var[2]=0
detection: Evaluating option byte_math, cursor name pkt_data, cursor position 1</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>snort.raw[15]:
- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
30 00 41 41 41 41 41 41 41 66  6F 6F 62 61 72                 0.AAAAAAAfoobar
- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
detection: Rule options variables:
var[0]=1 var[1]=10 var[2]=0
detection: Evaluating option content, cursor name pkt_data, cursor position 2</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>snort.raw[14]:
- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
00 41 41 41 41 41 41 41 66 6F  6F 62 61 72                    .AAAAAAAfoobar
- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
detection: Rule options variables:
var[0]=1 var[1]=10 var[2]=0
detection: Reached leaf, cursor name pkt_data, cursor position 13</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>snort.raw[3]:
- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
62 61 72                                                      bar
- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - -  - - - - -  - - - - -
detection: Matched rule gid:sid:rev 1:3:0
detection: Rule options variables:
var[0]=1 var[1]=10 var[2]=0
04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_protocols_decoding_trace">Protocols decoding trace</h4>
<div class="paragraph"><p>Turning on decode trace will print out information about the packets decoded
protocols. Can be useful in case of tunneling.</p></div>
<div class="paragraph"><p>Example for a icmpv4-in-ipv6 packet:</p></div>
<div class="paragraph"><p>In snort.lua, the following line was added:</p></div>
<div class="paragraph"><p>decode = { trace = 1 }</p></div>
<div class="paragraph"><p>The output:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>decode: Codec eth (protocol_id: 34525) ip header starts at: 0x7f70800110f0, length is 14
decode: Codec ipv6 (protocol_id: 1) ip header starts at: 0x7f70800110f0, length is 40
decode: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8
decode: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_other_available_traces">Other available traces</h4>
<div class="paragraph"><p>There are more trace options supported by detection:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>0x1 - prints statistics about the engine
0x40 - prints a message when disabling content detect for packet
0x80 - prints option tree data structure
0x100 - prints a message when a new tag is added</code></pre>
</div></div>
<div class="paragraph"><p>Detection is the only module that support multiple options for trace.</p></div>
<div class="paragraph"><p>The rest support only 1 option, and can be turned on by adding trace = 1 to
their lua config.</p></div>
<div class="ulist"><ul>
<li>
<p>
stream module trace:
</p>
</li>
</ul></div>
<div class="paragraph"><p>When turned on prints a message in case inspection is stopped on a flow.
Example for output:</p></div>
<div class="paragraph"><p>stream: stop inspection on flow, dir BOTH</p></div>
<div class="ulist"><ul>
<li>
<p>
stream_ip, stream_user: trace will output general processing messages
</p>
</li>
</ul></div>
<div class="paragraph"><p>Other modules that support trace have messages as seemed fit to the developer.
Some are for corner cases, other for complex data structures prints.  Current
list of additional modules supporting trace: appid, dce_smb, gtp_inspect and
dce_udp.</p></div>
</div>
</div>
<div class="sect2">
<h3 id="_performance_monitor">Performance Monitor</h3>
<div class="paragraph"><p>The new and improved performance monitor! Is your sensor being bogged down by
too many flows? perf_monitor! Why are certain TCP segments being dropped without
hitting a rule? perf_monitor! Why is a sensor leaking water? Not perf_monitor, check
with stream…</p></div>
<div class="sect3">
<h4 id="_overview_6">Overview</h4>
<div class="paragraph"><p>The Snort performance monitor is the built-in utility for monitoring system
and traffic statistics. All statistics are separated by processing thread.
perf_monitor supports several trackers for monitoring such data:</p></div>
</div>
<div class="sect3">
<h4 id="_base_tracker">Base Tracker</h4>
<div class="paragraph"><p>The base tracker is used to gather running statistics about Snort and its
running modules. All Snort modules gather, at the very least, counters for the
number of packets reaching it. Most supplement these counts with those for
domain specific functions, such as http_inspect’s number of GET requests seen.</p></div>
<div class="paragraph"><p>Statistics are gathered live and can be reported at regular intervals. The stats
reported correspond only to the interval in question and are reset at the
beginning of each interval.</p></div>
<div class="paragraph"><p>These are the same counts displayed when Snort shuts down, only sorted amongst
the discrete intervals in which they occurred.</p></div>
<div class="paragraph"><p>Base differs from prior implementations in Snort in that all stats gathered are
only raw counts, allowing the data to be evaluated as needed. Additionally,
base is entirely pluggable. Data from new Snort plugins can be added to the
existing stats either automatically or, if specified, by name and function.</p></div>
<div class="paragraph"><p>All plugins and counters can be enabled or disabled individually, allowing for
only the data that is actually desired instead of overly verbose performance
logs.</p></div>
<div class="paragraph"><p>To enable everything:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>perf_monitor = { modules = {} }</code></pre>
</div></div>
<div class="paragraph"><p>To enable everything within a module:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>perf_monitor =
{
    modules =
    {
        {
            name = 'stream_tcp',
            pegs = [[ ]]
        },
    }
}</code></pre>
</div></div>
<div class="paragraph"><p>To enable specific counts within modules:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>perf_monitor =
{
    modules =
    {
        {
            name = 'stream_tcp',
            pegs = [[ overlaps gaps ]]
        },
    }</code></pre>
</div></div>
<div class="paragraph"><p>Note: Event stats from prior Snorts are now located within base statistics.</p></div>
</div>
<div class="sect3">
<h4 id="_flow_tracker">Flow Tracker</h4>
<div class="paragraph"><p>Flow tracks statistics regarding traffic and L3/L4 protocol distributions. This
data can be used to build a profile of traffic for inspector tuning and for
identifying where Snort may be stressed.</p></div>
<div class="paragraph"><p>To enable:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>perf_monitor = { flow = true }</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_flowip_tracker">FlowIP Tracker</h4>
<div class="paragraph"><p>FlowIP provides statistics for individual hosts within a network. This data can
be used for identifying communication habits, such as generating large or small
amounts of data, opening a small or large number of sessions, and tendency to
send smaller or larger IP packets.</p></div>
<div class="paragraph"><p>To enable:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>perf_monitor = { flow_ip = true }</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_cpu_tracker">CPU Tracker</h4>
<div class="paragraph"><p>This tracker monitors the CPU and wall time spent by a given processing thread.</p></div>
<div class="paragraph"><p>To enable:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>perf_monitor = { cpu = true }</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_formatters">Formatters</h4>
<div class="paragraph"><p>Performance monitor allows statistics to be output in a few formats. Along with
human readable text (as seen at shutdown) and csv formats, a Flatbuffers binary
format is also available if Flatbuffers is present at build. A utility for
accessing the statistics generated in this format has been included for
convenience (see fbstreamer in tools). This tool generates a YAML array of
records found, allowing the data to be read by humans or passed into other
analysis tools. For information on working directly with the Flatbuffers file
format used by Performance monitor, see the developer notes for Performance
monitor or the code provided for fbstreamer.</p></div>
</div>
</div>
<div class="sect2">
<h3 id="_pop_and_imap">POP and IMAP</h3>
<div class="paragraph"><p>POP inspector is a service inspector for POP3 protocol and IMAP inspector
is for IMAP4 protocol.</p></div>
<div class="sect3">
<h4 id="_overview_7">Overview</h4>
<div class="paragraph"><p>POP and IMAP inspectors examine data traffic and find POP and IMAP
commands and responses. The inspectors also identify the command, header,
body sections and extract the MIME attachments and decode it
appropriately. The pop and imap also identify and whitelist the pop and
imap traffic.</p></div>
</div>
<div class="sect3">
<h4 id="_configuration_5">Configuration</h4>
<div class="paragraph"><p>POP inspector and IMAP inspector offer same set of configuration options
for MIME decoding depth. These depths range from 0 to 65535 bytes. Setting
the value to 0 ("do none") turns the feature off. Alternatively the value
-1 means an unlimited amount of data should be decoded. If you do not
specify the default value is 1460 bytes.</p></div>
<div class="paragraph"><p>The depth limits apply per attachment. They are:</p></div>
<div class="sect4">
<h5 id="_b64_decode_depth">b64_decode_depth</h5>
<div class="paragraph"><p>Set the base64 decoding depth used to decode the base64-encoded MIME
attachments.</p></div>
</div>
<div class="sect4">
<h5 id="_qp_decode_depth">qp_decode_depth</h5>
<div class="paragraph"><p>Set the Quoted-Printable (QP) decoding depth used to decode QP-encoded
MIME attachments.</p></div>
</div>
<div class="sect4">
<h5 id="_bitenc_decode_depth">bitenc_decode_depth</h5>
<div class="paragraph"><p>Set the non-encoded MIME extraction depth used for non-encoded MIME
attachments.</p></div>
</div>
<div class="sect4">
<h5 id="_uu_decode_depth">uu_decode_depth</h5>
<div class="paragraph"><p>Set the Unix-to-Unix (UU) decoding depth used to decode UU-encoded
attachments.</p></div>
</div>
<div class="sect4">
<h5 id="_examples_5">Examples</h5>
<div class="literalblock">
<div class="content">
<pre><code>stream = { }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>stream_tcp = { }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>stream_ip = { }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>binder =
{
    {
        {
            when = { proto = 'tcp', ports = '110', },
            use = { type = 'pop', },
        },
        {
            when = { proto = 'tcp', ports = '143', },
            use =  { type = 'imap', },
        },
    },
}</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>imap =
{
    qp_decode_depth = 500,
}</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>pop =
{
    qp_decode_depth = -1,
    b64_decode_depth = 3000,
}</code></pre>
</div></div>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_port_scan">Port Scan</h3>
<div class="paragraph"><p>A module to detect port scanning</p></div>
<div class="sect3">
<h4 id="_overview_8">Overview</h4>
<div class="paragraph"><p>This module is designed to detect the first phase in a network attack:
Reconnaissance. In the Reconnaissance phase, an attacker determines
what types of network protocols or services a host supports. This is
the traditional place where a portscan takes place. This phase assumes
the attacking host has no prior knowledge of what protocols or
services are supported by the target, otherwise this phase would not
be necessary.</p></div>
<div class="paragraph"><p>As the attacker has no beforehand knowledge of its intended target,
most queries sent by the attacker will be negative (meaning that the
services are closed). In the nature of legitimate network
communications, negative responses from hosts are rare, and rarer
still are multiple negative responses within a given amount of time.
Our primary objective in detecting portscans is to detect and track
these negative responses.</p></div>
<div class="paragraph"><p>One of the most common portscanning tools in use today is Nmap. Nmap
encompasses many, if not all, of the current portscanning techniques.
Portscan was designed to be able to detect the different types of
scans Nmap can produce.</p></div>
<div class="paragraph"><p>The following are a list of the types of Nmap scans Portscan
will currently alert for.</p></div>
<div class="ulist"><ul>
<li>
<p>
TCP Portscan
</p>
</li>
<li>
<p>
UDP Portscan
</p>
</li>
<li>
<p>
IP Portscan
</p>
</li>
</ul></div>
<div class="paragraph"><p>These alerts are for one to one portscans, which are the traditional
types of scans; one host scans multiple ports on another host. Most of
the port queries will be negative, since most hosts have relatively
few services available.</p></div>
<div class="ulist"><ul>
<li>
<p>
TCP Decoy Portscan
</p>
</li>
<li>
<p>
UDP Decoy Portscan
</p>
</li>
<li>
<p>
IP Decoy Portscan
</p>
</li>
</ul></div>
<div class="paragraph"><p>Decoy portscans are much like regular, only the attacker has spoofed
source address inter-mixed with the real scanning address. This tactic
helps hide the true identity of the attacker.</p></div>
<div class="ulist"><ul>
<li>
<p>
TCP Distributed Portscan
</p>
</li>
<li>
<p>
UDP Distributed Portscan
</p>
</li>
<li>
<p>
IP Distributed Portscan
</p>
</li>
</ul></div>
<div class="paragraph"><p>These are many to one portscans. Distributed portscans occur when
multiple hosts query one host for open services. This is used to evade
an IDS and obfuscate command and control hosts.</p></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/note.png" alt="Note" />
</td>
<td class="content">Negative queries will be distributed among scanning hosts, so
we track this type of scan through the scanned host.</td>
</tr></table>
</div>
<div class="ulist"><ul>
<li>
<p>
TCP Portsweep
</p>
</li>
<li>
<p>
UDP Portsweep
</p>
</li>
<li>
<p>
IP Portsweep
</p>
</li>
<li>
<p>
ICMP Portsweep
</p>
</li>
</ul></div>
<div class="paragraph"><p>These alerts are for one to many portsweeps. One host scans a single
port on multiple hosts. This usually occurs when a new exploit comes out
and the attacker is looking for a specific service.</p></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/note.png" alt="Note" />
</td>
<td class="content">The characteristics of a portsweep scan may not result in many
negative responses. For example, if an attacker portsweeps a web farm
for port 80, we will most likely not see many negative responses.</td>
</tr></table>
</div>
<div class="ulist"><ul>
<li>
<p>
TCP Filtered Portscan
</p>
</li>
<li>
<p>
UDP Filtered Portscan
</p>
</li>
<li>
<p>
IP Filtered Portscan
</p>
</li>
<li>
<p>
TCP Filtered Decoy Portscan
</p>
</li>
<li>
<p>
UDP Filtered Decoy Portscan
</p>
</li>
<li>
<p>
IP Filtered Decoy Portscan
</p>
</li>
<li>
<p>
TCP Filtered Portsweep
</p>
</li>
<li>
<p>
UDP Filtered Portsweep
</p>
</li>
<li>
<p>
IP Filtered Portsweep
</p>
</li>
<li>
<p>
ICMP Filtered Portsweep
</p>
</li>
<li>
<p>
TCP Filtered Distributed Portscan
</p>
</li>
<li>
<p>
UDP Filtered Distributed Portscan
</p>
</li>
<li>
<p>
IP Filtered Distributed Portscan
</p>
</li>
</ul></div>
<div class="paragraph"><p>"Filtered" alerts indicate that there were no network errors (ICMP
unreachables or TCP RSTs) or responses on closed ports have been
suppressed. It&#8217;s also a good indicator on whether the alert is just a
very active legitimate host. Active hosts, such as NATs, can trigger
these alerts because they can send out many connection attempts within
a very small amount of time. A filtered alert may go off before
responses from the remote hosts are received.</p></div>
<div class="paragraph"><p>Portscan only generates one alert for each host pair in question
during the time window. On TCP scan alerts, Portscan
will also display any open ports that were scanned. On TCP sweep alerts
however, Portscan will only track open ports after the alert has been
triggered. Open port events are not individual alerts, but tags based
off the original scan alert.</p></div>
</div>
<div class="sect3">
<h4 id="_scan_levels">Scan levels</h4>
<div class="paragraph"><p>There are 3 default scan levels that can be set.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>1) default_hi_port_scan
2) default_med_port_scan
3) default_low_port_scan</code></pre>
</div></div>
<div class="paragraph"><p>Each of these default levels have separate options that can be edited
to alter the scan sensitivity levels (scans, rejects, nets or ports)</p></div>
<div class="paragraph"><p>Example:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>port_scan = default_low_port_scan

port_scan.tcp_decoy.ports = 1
port_scan.tcp_decoy.scans = 1
port_scan.tcp_decoy.rejects = 1
port_scan.tcp_ports.nets = 1</code></pre>
</div></div>
<div class="paragraph"><p>The example above would change each of the individual settings to 1.</p></div>
<div class="paragraph"><p>NOTE:The default levels for scans, rejects, nets and ports can be
seen in the snort_defaults.lua file.</p></div>
<div class="paragraph"><p>The counts can be seen in the alert outputs (-Acmg shown below):</p></div>
<div class="literalblock">
<div class="content">
<pre><code>50 72 69 6F 72 69 74 79  20 43 6F 75 6E 74 3A 20  Priority  Count:
30 0A 43 6F 6E 6E 65 63  74 69 6F 6E 20 43 6F 75  0.Connec tion Cou
6E 74 3A 20 34 35 0A 49  50 20 43 6F 75 6E 74 3A  nt: 45.I P Count:
20 31 0A 53 63 61 6E 6E  65 72 20 49 50 20 52 61  1.Scann er IP Ra
6E 67 65 3A 20 31 2E 32  2E 33 2E 34 3A 31 2E 32  nge: 1.2 .3.4:1.2
2E 33 2E 34 0A 50 6F 72  74 2F 50 72 6F 74 6F 20  .3.4.Por t/Proto
43 6F 75 6E 74 3A 20 33  37 0A 50 6F 72 74 2F 50  Count: 3 7.Port/P
72 6F 74 6F 20 52 61 6E  67 65 3A 20 31 3A 39 0A  roto Ran ge: 1:9.</code></pre>
</div></div>
<div class="paragraph"><p>"Low" alerts are only generated on error packets sent from the
target host, and because of the nature of error responses, this
setting should see very few false positives. However, this setting
will never trigger a Filtered Scan alert because of a lack of error
responses. This setting is based on a static time window of 60
seconds, after which this window is reset.</p></div>
<div class="paragraph"><p>"Medium" alerts track Connection Counts, and so will generate
Filtered Scan alerts. This setting may false positive on active
hosts (NATs, proxies, DNS caches, etc), so the user may need to
deploy the use of Ignore directives to properly tune this directive.</p></div>
<div class="paragraph"><p>"High" alerts continuously track hosts on a network using a time
window to evaluate portscan statistics for that host. A "High"
setting will catch some slow scans because of the continuous
monitoring, but is very sensitive to active hosts. This most
definitely will require the user to tune Portscan.</p></div>
</div>
<div class="sect3">
<h4 id="_tuning_portscan">Tuning Portscan</h4>
<div class="paragraph"><p>The most important aspect in detecting portscans is tuning the detection
engine for your network(s).  Here are some tuning tips:</p></div>
<div class="paragraph"><p>Use the watch_ip, ignore_scanners, and ignore_scanned options.
It&#8217;s important to correctly set these options.  The watch_ip option
is easy to understand.  The analyst should set this option to the
list of CIDR blocks and IPs that they want to watch.  If no
watch_ip is defined, Portscan will watch all network traffic.
The ignore_scanners and ignore_scanned options come into play in
weeding out legitimate hosts that are very active on your network.
Some of the most common examples are NAT IPs, DNS cache servers,
syslog servers, and nfs servers.  Portscan may not generate false
positives for these types of hosts, but be aware when first tuning
Portscan for these IPs. Depending on the type of alert that the
host generates, the analyst will know which to ignore it as.  If
the host is generating portsweep events, then add it to the
ignore_scanners option.  If the host is generating portscan alerts
(and is the host that is being scanned), add it to the
ignore_scanned option.</p></div>
<div class="paragraph"><p>Filtered scan alerts are much more prone to false positives.
When determining false positives, the alert type is very important.
Most of the false positives that Portscan may generate are of the
filtered scan alert type.  So be much more suspicious of filtered
portscans.  Many times this just indicates that a host was very
active during the time period in question.  If the host continually
generates these types of alerts, add it to the ignore_scanners list
or use a lower sensitivity level.</p></div>
<div class="paragraph"><p>Make use of the Priority Count, Connection Count, IP Count,
Port Count, IP range, and Port range to determine false positives.
The portscan alert details are vital in determining the scope of a
portscan and also the confidence of the portscan.  In the future,
we hope to automate much of this analysis in assigning a scope
level and confidence level, but for now the user must manually do
this.  The easiest way to determine false positives is through
simple ratio estimations. The following is a list of ratios to
estimate and the associated values that indicate a legitimate scan
and not a false positive.</p></div>
<div class="paragraph"><p>Connection Count / IP Count:  This ratio indicates an estimated
average of connections per IP.  For portscans, this ratio should be
high, the higher the better.  For portsweeps, this ratio should be
low.</p></div>
<div class="paragraph"><p>Port Count / IP Count:  This ratio indicates an estimated average
of ports connected to per IP.  For portscans, this ratio should be
high and indicates that the scanned host&#8217;s ports were connected to
by fewer IPs. For portsweeps, this ratio should be low, indicating
that the scanning host connected to few ports but on many hosts.</p></div>
<div class="paragraph"><p>Connection Count / Port Count:  This ratio indicates an estimated
average of connections per port.  For portscans, this ratio should
be low. This indicates that each connection was to a different
port.  For portsweeps, this ratio should be high. This indicates
that there were many connections to the same port.</p></div>
<div class="paragraph"><p>The reason that Priority Count is not included, is because the
priority count is included in the connection count and the above
comparisons take that into consideration.  The Priority Count play
an important role in tuning because the higher the priority count
the more likely it is a real portscan or portsweep (unless the host
is firewalled).</p></div>
<div class="paragraph"><p>If all else fails, lower the sensitivity level.
If none of these other tuning techniques work or the analyst
doesn&#8217;t have the time for tuning, lower the sensitivity level. You
get the best protection the higher the sensitivity level, but it&#8217;s
also important that the portscan detection engine generates alerts
that the analyst will find informative. The low sensitivity level
only generates alerts based on error responses. These responses
indicate a portscan and the alerts generated by the low sensitivity
level are highly accurate and require the least tuning. The low
sensitivity level does not catch filtered scans, since these are
more prone to false positives.</p></div>
</div>
</div>
<div class="sect2">
<h3 id="_sensitive_data_filtering">Sensitive Data Filtering</h3>
<div class="paragraph"><p>The <code>sd_pattern</code> IPS option provides detection and filtering of Personally
Identifiable Information (PII).  This information includes credit card
numbers, U.S. Social Security numbers, and email addresses.  A rich regular
expression syntax is available for defining your own PII.</p></div>
<div class="sect3">
<h4 id="_hyperscan">Hyperscan</h4>
<div class="paragraph"><p>The <code>sd_pattern</code> rule option is powered by the open source Hyperscan
library from Intel.  It provides a regex grammar which is mostly PCRE
compatible. To learn more about Hyperscan see
<a href="https://intel.github.io/hyperscan/dev-reference/">https://intel.github.io/hyperscan/dev-reference/</a></p></div>
</div>
<div class="sect3">
<h4 id="_syntax">Syntax</h4>
<div class="paragraph"><p>Snort provides <code>sd_pattern</code> as IPS rule option with no additional inspector
overhead.  The Rule option takes the following syntax.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>sd_pattern: "&lt;pattern&gt;"[, threshold &lt;count&gt;];</code></pre>
</div></div>
<div class="sect4">
<h5 id="_pattern">Pattern</h5>
<div class="paragraph"><p>Pattern is the most important and is the only required parameter to
<code>sd_pattern</code>. It supports 3 built in patterns which are configured by name:
"credit_card", "us_social" and "us_social_nodashes", as well as user
defined regular expressions of the Hyperscan dialect (see
<a href="https://intel.github.io/hyperscan/dev-reference/compilation.html#pattern-support">https://intel.github.io/hyperscan/dev-reference/compilation.html#pattern-support</a>).</p></div>
<div class="literalblock">
<div class="content">
<pre><code>sd_pattern:"credit_card";</code></pre>
</div></div>
<div class="paragraph"><p>When configured, Snort will replace the pattern <em>credit_card</em> with the built in
pattern. In addition to pattern matching, Snort will validate that the matched
digits will pass the Luhn-check algorithm.  Currently the only pattern that
performs extra verification.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>sd_pattern:"us_social";
sd_pattern:"us_social_nodashes";</code></pre>
</div></div>
<div class="paragraph"><p>These special patterns will also be replaced with a built in pattern.
Naturally, "us_social" is a pattern of 9 digits separated by <code>-</code>'s in the
canonical form.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>sd_pattern:"\b\w+@ourdomain\.com\b"</code></pre>
</div></div>
<div class="paragraph"><p>This is a user defined pattern which matches what is most likely email
addresses for the site "ourdomain.com". The pattern is a PCRE compatible
regex, <em>\b</em> matches a word boundary (whitespace, end of line, non-word
characters)  and <em>\w+</em> matches one or more word characters. <em>\.</em> matches
a literal <em>.</em>.</p></div>
<div class="paragraph"><p>The above pattern would match "a@ourdomain.com", "aa@ourdomain.com" but would
not match <code>1@ourdomain.com</code> <code>ab12@ourdomain.com</code> or <code>@ourdomain.com</code>.</p></div>
<div class="paragraph"><p>Note: This is just an example, this pattern is not suitable to detect many
correctly formatted emails.</p></div>
</div>
<div class="sect4">
<h5 id="_threshold">Threshold</h5>
<div class="paragraph"><p>Threshold is an optional parameter allowing you to change built in default
value (default value is <em>1</em>).  The following two instances are identical.
The first will assume the default value of <em>1</em> the second declaration
explicitly sets the threshold to <em>1</em>.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>sd_pattern:"This rule requires 1 match";
sd_pattern:"This rule requires 1 match", threshold 1;</code></pre>
</div></div>
<div class="paragraph"><p>That&#8217;s pretty easy, but here is one more example anyway.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>sd_pattern:"This is a string literal", threshold 300;</code></pre>
</div></div>
<div class="paragraph"><p>This example requires 300 matches of the pattern "This is a string literal"
to qualify as a positive match. That is, if the string only occurred 299 times
in a packet, you will not see an event.</p></div>
</div>
<div class="sect4">
<h5 id="_obfuscating_credit_cards_and_social_security_numbers">Obfuscating Credit Cards and Social Security Numbers</h5>
<div class="paragraph"><p>Snort provides discreet logging for the built in patterns "credit_card",
"us_social" and "us_social_nodashes". Enabling <code>output.obfuscate_pii</code> makes
Snort obfuscate the suspect packet payload which was matched by the
patterns. This configuration is disabled by default.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>output =
{
    obfuscate_pii = true
}</code></pre>
</div></div>
</div>
</div>
<div class="sect3">
<h4 id="_example">Example</h4>
<div class="paragraph"><p>A complete Snort IPS rule</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alert tcp ( sid:1; msg:"Credit Card"; sd_pattern:"credit_card"; )</code></pre>
</div></div>
<div class="paragraph"><p>Logged output when running Snort in "cmg" alert format.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>02/25-21:19:05.125553 [**] [1:1:0] "Credit Card" [**] [Priority: 0] {TCP} 10.1.2.3:48620 -&gt; 10.9.8.7:8
02:01:02:03:04:05 -&gt; 02:09:08:07:06:05 type:0x800 len:0x46
10.1.2.3:48620 -&gt; 10.9.8.7:8 TCP TTL:64 TOS:0x0 ID:14 IpLen:20 DgmLen:56
***A**** Seq: 0xB2  Ack: 0x2  Win: 0x2000  TcpLen: 20
- - - raw[16] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
58 58 58 58 58 58 58 58 58 58 58 58 39 32 39 34              XXXXXXXXXXXX9294
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_caveats">Caveats</h4>
<div class="olist arabic"><ol class="arabic">
<li>
<p>
Snort currently requires setting the fast pattern engine to use
"hyperscan" in order for <code>sd_pattern</code> ips option to function correctly.
</p>
<div class="literalblock">
<div class="content">
<pre><code>search_engine = { search_method = 'hyperscan' }</code></pre>
</div></div>
</li>
<li>
<p>
Log obfuscation is only applicable to CMG and Unified2 logging formats.
</p>
</li>
<li>
<p>
Log obfuscation doesn&#8217;t support user defined PII patterns. It is
currently only supported for the built in patterns for Credit Cards and US
Social Security numbers.
</p>
</li>
<li>
<p>
Log obfuscation doesn&#8217;t work with stream rebuilt packet payloads.  (This
is a known bug).
</p>
</li>
</ol></div>
</div>
</div>
<div class="sect2">
<h3 id="_smtp">SMTP</h3>
<div class="paragraph"><p>SMTP inspector is a service inspector for SMTP protocol.</p></div>
<div class="sect3">
<h4 id="_overview_9">Overview</h4>
<div class="paragraph"><p>The SMTP inspector examines SMTP connections looking for commands and
responses. It also identifies the command, header and body sections, TLS
data and extracts the MIME attachments. This inspector also identifies and
whitelists the SMTP traffic.</p></div>
<div class="paragraph"><p>SMTP inspector logs the filename, email addresses, attachment names when
configured.</p></div>
</div>
<div class="sect3">
<h4 id="_configuration_6">Configuration</h4>
<div class="paragraph"><p>SMTP command lines can be normalized to remove extraneous spaces.
TLS-encrypted traffic can be ignored, which improves performance.  In
addition, plain-text mail data can be ignored for an additional
performance boost.</p></div>
<div class="paragraph"><p>The configuration options are described below:</p></div>
<div class="sect4">
<h5 id="_normalize_and_normalize_cmds">normalize and normalize_cmds</h5>
<div class="paragraph"><p>Normalization checks for more than one space character after a command.
Space characters are defined as space (ASCII 0x20) or tab (ASCII 0x09).
"normalize" provides options all|none|cmds, <em>all</em> checks all commands,
<em>none</em> turns off normalization for all commands. <em>cmds</em> just checks
commands listed with the "normalize_cmds" parameter.
For example:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>smtp = { normalize = 'cmds', normalize_cmds = 'RCPT VRFY EXPN' }</code></pre>
</div></div>
</div>
<div class="sect4">
<h5 id="_ignore_data">ignore_data</h5>
<div class="paragraph"><p>Set it to true to ignore data section of mail (except for mail headers)
when processing rules.</p></div>
</div>
<div class="sect4">
<h5 id="_ignore_tls_data">ignore_tls_data</h5>
<div class="paragraph"><p>Set it to true to ignore TLS-encrypted data when processing rules.</p></div>
</div>
<div class="sect4">
<h5 id="_max_command_line_len">max_command_line_len</h5>
<div class="paragraph"><p>Alert if an SMTP command line is longer than this value.  Absence of this
option or a "0" means never alert on command line length. RFC 2821
recommends 512 as a maximum command line length.</p></div>
</div>
<div class="sect4">
<h5 id="_max_header_line_len">max_header_line_len</h5>
<div class="paragraph"><p>Alert if an SMTP DATA header line is longer than this value.  Absence of
this option or a "0" means never alert on data header line length. RFC
2821 recommends 1024 as a maximum data header line length.</p></div>
</div>
<div class="sect4">
<h5 id="_max_response_line_len">max_response_line_len</h5>
<div class="paragraph"><p>Alert if an SMTP response line is longer than this value.  Absence of this
option or a "0" means never alert on response line length. RFC 2821
recommends 512 as a maximum response line length.</p></div>
</div>
<div class="sect4">
<h5 id="_alt_max_command_line_len">alt_max_command_line_len</h5>
<div class="paragraph"><p>Overrides max_command_line_len for specific commands
For example:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>alt_max_command_line_len =
{
    {
        command = 'MAIL',
        length = 260,
    },
    {
        command = 'RCPT',
        length = 300,
    },
}</code></pre>
</div></div>
</div>
<div class="sect4">
<h5 id="_invalid_cmds">invalid_cmds</h5>
<div class="paragraph"><p>Alert if this command is sent from client side.</p></div>
</div>
<div class="sect4">
<h5 id="_valid_cmds">valid_cmds</h5>
<div class="paragraph"><p>List of valid commands.  We do not alert on commands in this list.</p></div>
<div class="paragraph"><p>DEFAULT empty list, but SMTP inspector has this list hard-coded:
[[ ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN
 HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE
 STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE
 XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR ]]</p></div>
</div>
<div class="sect4">
<h5 id="_data_cmds">data_cmds</h5>
<div class="paragraph"><p>List of commands that initiate sending of data with an end of data
delimiter the same as that of the DATA command per RFC 5321 -
"&lt;CRLF&gt;.&lt;CRLF&gt;".</p></div>
</div>
<div class="sect4">
<h5 id="_binary_data_cmds">binary_data_cmds</h5>
<div class="paragraph"><p>List of commands that initiate sending of data and use a length value
after the command to indicate the amount of data to be sent, similar to
that of the BDAT command per RFC 3030.</p></div>
</div>
<div class="sect4">
<h5 id="_auth_cmds">auth_cmds</h5>
<div class="paragraph"><p>List of commands that initiate an authentication exchange between client
and server.</p></div>
</div>
<div class="sect4">
<h5 id="_xlink2state">xlink2state</h5>
<div class="paragraph"><p>Enable/disable xlink2state alert, options are {disable | alert | drop}.
See CVE-2005-0560 for a description of the vulnerability.</p></div>
</div>
<div class="sect4">
<h5 id="_mime_processing_depth_parameters">MIME processing depth parameters</h5>
<div class="paragraph"><p>These four MIME processing depth parameters are identical to their POP and
IMAP counterparts. See that section for further details.</p></div>
<div class="paragraph"><p>b64_decode_depth
qp_decode_depth
bitenc_decode_depth
uu_decode_depth</p></div>
</div>
<div class="sect4">
<h5 id="_log_options">Log Options</h5>
<div class="paragraph"><p>Following log options allow SMTP inspector to log email addresses and
filenames.
Please note, this is logged only with the unified2 output and is not
logged with the console output (-A cmg). u2spewfoo can be used to read
this data from the unified2.</p></div>
<div class="paragraph"><p><em>log_mailfrom</em></p></div>
<div class="paragraph"><p>This option enables SMTP inspector to parse and log the sender&#8217;s email
address extracted from the "MAIL FROM" command along with all the
generated events for that session. The maximum number of bytes logged for
this option is 1024.</p></div>
<div class="paragraph"><p><em>log_rcptto</em></p></div>
<div class="paragraph"><p>This option enables SMTP inspector to parse and log the recipient email
addresses extracted from the "RCPT TO" command along with all the
generated events for that session. Multiple recipients are appended with
commas. The maximum number of bytes logged for this option is 1024.</p></div>
<div class="paragraph"><p><em>log_filename</em></p></div>
<div class="paragraph"><p>This option enables SMTP inspector to parse and log the MIME attachment
filenames extracted from the Content-Disposition header within the MIME
body along with all the generated events for that session. Multiple
filenames are appended with commas. The maximum number of bytes logged for
this option is 1024.</p></div>
<div class="paragraph"><p><em>log_email_hdrs</em></p></div>
<div class="paragraph"><p>This option enables SMTP inspector to parse and log the SMTP email headers
extracted from SMTP data along with all generated events for that session.
The number of bytes extracted and logged depends upon the
email_hdrs_log_depth.</p></div>
<div class="paragraph"><p><em>email_hdrs_log_depth</em></p></div>
<div class="paragraph"><p>This option specifies the depth for logging email headers. The allowed
range for this option is 0 - 20480. A value of 0 will disable email
headers logging. The default value for this option is 1464.</p></div>
</div>
</div>
<div class="sect3">
<h4 id="_example_2">Example</h4>
<div class="literalblock">
<div class="content">
<pre><code>smtp =
{
    normalize = 'cmds',
    normalize_cmds = 'EXPN VRFY RCPT',
    b64_decode_depth = 0,
    qp_decode_depth = 0,
    bitenc_decode_depth = 0,
    uu_decode_depth = 0,
    log_mailfrom = true,
    log_rcptto = true,
    log_filename = true,
    log_email_hdrs = true,
    max_command_line_len = 512,
    max_header_line_len = 1000,
    max_response_line_len = 512,
    max_auth_command_line_len = 50,
    xlink2state = 'alert',
    alt_max_command_line_len =
    {
        {
            command = 'MAIL',
            length = 260,
        },
        {
            command = 'RCPT',
            length = 300,
        },
        {
            command = 'HELP',
            length = 500,
        },
        {
            command = 'HELO',
            length = 500,
        },
        {
            command = 'ETRN',
            length = 500,
        },
        {
            command = 'EXPN',
            length = 255,
        },
        {
            command = 'VRFY',
            length = 255,
        },
    },
}</code></pre>
</div></div>
</div>
</div>
<div class="sect2">
<h3 id="_telnet">Telnet</h3>
<div class="paragraph"><p>Given a telnet data buffer, Telnet will normalize the buffer with
respect to telnet commands and option negotiation, eliminating telnet
command sequences per RFC 854.  It will also determine when a
telnet connection is encrypted, per the use of the telnet encryption
option per RFC 2946.</p></div>
<div class="sect3">
<h4 id="_configuring_the_inspector_to_block_exploits_and_attacks_2">Configuring the inspector to block exploits and attacks</h4>
<div class="paragraph"><p>ayt_attack_thresh number</p></div>
<div class="paragraph"><p>Detect and alert on consecutive are you there [AYT] commands beyond the
threshold number specified.  This addresses a few specific vulnerabilities
relating to bsd-based implementations of telnet.</p></div>
</div>
</div>
<div class="sect2">
<h3 id="_wizard">Wizard</h3>
<div class="paragraph"><p>Using the wizard enables port-independent configuration and the detection of
malware command and control channels.  If the wizard is bound to a session, it
peeks at the initial payload to determine the service.  For example, <em>GET</em>
would indicate HTTP and <em>HELO</em> would indicate SMTP.  Upon finding a match, the
service bindings are reevaluated so the session can be handed off to the
appropriate inspector.  The wizard is still under development; if you find you
need to tweak the defaults please let us know.</p></div>
<div class="paragraph"><p>Additional Details:</p></div>
<div class="ulist"><ul>
<li>
<p>
If the wizard and one or more service inspectors are configured w/o
  explicitly configuring the binder, default bindings will be generated which
  should work for most common cases.
</p>
</li>
<li>
<p>
Also note that while Snort 2 bindings can only be configured in the
  default policy, each Snort 3 policy can contain a binder leading to an
  arbitrary hierarchy.
</p>
</li>
<li>
<p>
The entire configuration can be reloaded and hot-swapped during run-time
  via signal or command in both Snort 2 and Snort 3.  Ultimately, Snort 3
  will support commands to update the binder on the fly, thus enabling
  incremental reloads of individual inspectors.
</p>
</li>
<li>
<p>
Both Snort 2 and Snort 3 support server specific configurations via a hosts
  table (XML in Snort 2 and Lua in Snort 3).  The table allows you to
  map network, protocol, and port to a service and policy.  This table can
  be reloaded and hot-swapped separately from the config file.
</p>
</li>
<li>
<p>
You can find the specifics on the binder, wizard, and hosts tables in the
  manual or command line like this:  snort --help-module binder, etc.
</p>
</li>
</ul></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_basic_modules">Basic Modules</h2>
<div class="sectionbody">
<div class="paragraph"><p>Internal modules which are not plugins are termed "basic".  These include
configuration for core processing.</p></div>
<div class="sect2">
<h3 id="_active">active</h3>
<div class="paragraph"><p>What: configure responses</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>active.attempts</strong> = 0: number of TCP packets sent per response (with varying sequence numbers) { 0:255 }
</p>
</li>
<li>
<p>
string <strong>active.device</strong>: use <em>ip</em> for network layer responses or <em>eth0</em> etc for link layer
</p>
</li>
<li>
<p>
string <strong>active.dst_mac</strong>: use format <em>01:23:45:67:89:ab</em>
</p>
</li>
<li>
<p>
int <strong>active.max_responses</strong> = 0: maximum number of responses { 0:255 }
</p>
</li>
<li>
<p>
int <strong>active.min_interval</strong> = 255: minimum number of seconds between responses { 1:255 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>active.injects</strong>: total crafted packets injected (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_alerts_2">alerts</h3>
<div class="paragraph"><p>What: configure alerts</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>alerts.alert_with_interface_name</strong> = false: include interface in alert info (fast, full, or syslog only)
</p>
</li>
<li>
<p>
int <strong>alerts.detection_filter_memcap</strong> = 1048576: set available MB of memory for detection_filters { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>alerts.event_filter_memcap</strong> = 1048576: set available MB of memory for event_filters { 0:max32 }
</p>
</li>
<li>
<p>
bool <strong>alerts.log_references</strong> = false: include rule references in alert info (full only)
</p>
</li>
<li>
<p>
string <strong>alerts.order</strong> = pass reset block drop alert log: change the order of rule action application
</p>
</li>
<li>
<p>
int <strong>alerts.rate_filter_memcap</strong> = 1048576: set available MB of memory for rate_filters { 0:max32 }
</p>
</li>
<li>
<p>
string <strong>alerts.reference_net</strong>: set the CIDR for homenet (for use with -l or -B, does NOT change $HOME_NET in IDS mode)
</p>
</li>
<li>
<p>
bool <strong>alerts.stateful</strong> = false: don&#8217;t alert w/o established session (note: rule action still taken)
</p>
</li>
<li>
<p>
string <strong>alerts.tunnel_verdicts</strong>: let DAQ handle non-allow verdicts for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls traffic
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_attribute_table">attribute_table</h3>
<div class="paragraph"><p>What: configure hosts loading</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>attribute_table.max_hosts</strong> = 1024: maximum number of hosts in attribute table { 32:max53 }
</p>
</li>
<li>
<p>
int <strong>attribute_table.max_services_per_host</strong> = 8: maximum number of services per host entry in attribute table { 1:65535 }
</p>
</li>
<li>
<p>
int <strong>attribute_table.max_metadata_services</strong> = 8: maximum number of services in rule { 1:255 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_classifications">classifications</h3>
<div class="paragraph"><p>What: define rule categories with priority</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong><code>classifications[].name</code></strong>: name used with classtype rule option
</p>
</li>
<li>
<p>
int <strong><code>classifications[].priority</code></strong> = 1: default priority for class { 0:max32 }
</p>
</li>
<li>
<p>
string <strong><code>classifications[].text</code></strong>: description of class
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_daq">daq</h3>
<div class="paragraph"><p>What: configure packet acquisition interface</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong><code>daq.module_dirs[].path</code></strong>: directory path
</p>
</li>
<li>
<p>
string <strong><code>daq.inputs[].input</code></strong>: input source
</p>
</li>
<li>
<p>
int <strong>daq.snaplen</strong> = 1518: set snap length (same as -s) { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>daq.batch_size</strong> = 64: set receive batch size (same as --daq-batch-size) { 1: }
</p>
</li>
<li>
<p>
string <strong><code>daq.modules[].name</code></strong>: DAQ module name (required)
</p>
</li>
<li>
<p>
enum <strong><code>daq.modules[].mode</code></strong> = passive: DAQ module mode { passive | inline | read-file }
</p>
</li>
<li>
<p>
string <strong><code>daq.modules[].variables[].variable</code></strong>: DAQ module variable (foo[=bar])
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>daq.pcaps</strong>: total files and interfaces processed (max)
</p>
</li>
<li>
<p>
<strong>daq.received</strong>: total packets received from DAQ (sum)
</p>
</li>
<li>
<p>
<strong>daq.analyzed</strong>: total packets analyzed from DAQ (sum)
</p>
</li>
<li>
<p>
<strong>daq.dropped</strong>: packets dropped (sum)
</p>
</li>
<li>
<p>
<strong>daq.filtered</strong>: packets filtered out (sum)
</p>
</li>
<li>
<p>
<strong>daq.outstanding</strong>: packets unprocessed (sum)
</p>
</li>
<li>
<p>
<strong>daq.injected</strong>: active responses or replacements (sum)
</p>
</li>
<li>
<p>
<strong>daq.allow</strong>: total allow verdicts (sum)
</p>
</li>
<li>
<p>
<strong>daq.block</strong>: total block verdicts (sum)
</p>
</li>
<li>
<p>
<strong>daq.replace</strong>: total replace verdicts (sum)
</p>
</li>
<li>
<p>
<strong>daq.whitelist</strong>: total whitelist verdicts (sum)
</p>
</li>
<li>
<p>
<strong>daq.blacklist</strong>: total blacklist verdicts (sum)
</p>
</li>
<li>
<p>
<strong>daq.ignore</strong>: total ignore verdicts (sum)
</p>
</li>
<li>
<p>
<strong>daq.retry</strong>: total retry verdicts (sum)
</p>
</li>
<li>
<p>
<strong>daq.internal_blacklist</strong>: packets blacklisted internally due to lack of DAQ support (sum)
</p>
</li>
<li>
<p>
<strong>daq.internal_whitelist</strong>: packets whitelisted internally due to lack of DAQ support (sum)
</p>
</li>
<li>
<p>
<strong>daq.skipped</strong>: packets skipped at startup (sum)
</p>
</li>
<li>
<p>
<strong>daq.idle</strong>: attempts to acquire from DAQ without available packets (sum)
</p>
</li>
<li>
<p>
<strong>daq.rx_bytes</strong>: total bytes received (sum)
</p>
</li>
<li>
<p>
<strong>daq.retries_queued</strong>: messages queued for retry (sum)
</p>
</li>
<li>
<p>
<strong>daq.retries_dropped</strong>: messages dropped when overrunning the retry queue (sum)
</p>
</li>
<li>
<p>
<strong>daq.retries_processed</strong>: messages processed from the retry queue (sum)
</p>
</li>
<li>
<p>
<strong>daq.retries_discarded</strong>: messages discarded when purging the retry queue (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_decode">decode</h3>
<div class="paragraph"><p>What: general decoder rules</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>decode.trace</strong>: mask for enabling debug traces in module { 0:max53 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:450</strong> (decode) bad IP protocol
</p>
</li>
<li>
<p>
<strong>116:293</strong> (decode) two or more IP (v4 and/or v6) encapsulation layers present
</p>
</li>
<li>
<p>
<strong>116:459</strong> (decode) fragment with zero length
</p>
</li>
<li>
<p>
<strong>116:150</strong> (decode) loopback IP
</p>
</li>
<li>
<p>
<strong>116:151</strong> (decode) same src/dst IP
</p>
</li>
<li>
<p>
<strong>116:449</strong> (decode) unassigned/reserved IP protocol
</p>
</li>
<li>
<p>
<strong>116:472</strong> (decode) too many protocols present
</p>
</li>
<li>
<p>
<strong>116:473</strong> (decode) ether type out of range
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_detection">detection</h3>
<div class="paragraph"><p>What: configure general IPS rule processing parameters</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>detection.asn1</strong> = 0: maximum decode nodes { 0:65535 }
</p>
</li>
<li>
<p>
bool <strong>detection.global_default_rule_state</strong> = true: enable or disable rules by default (overridden by ips policy settings)
</p>
</li>
<li>
<p>
bool <strong>detection.global_rule_state</strong> = false: apply rule_state against all policies
</p>
</li>
<li>
<p>
int <strong>detection.offload_limit</strong> = 99999: minimum sizeof PDU to offload fast pattern search (defaults to disabled) { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>detection.offload_threads</strong> = 0: maximum number of simultaneous offloads (defaults to disabled) { 0:max32 }
</p>
</li>
<li>
<p>
bool <strong>detection.pcre_enable</strong> = true: disable pcre pattern matching
</p>
</li>
<li>
<p>
int <strong>detection.pcre_match_limit</strong> = 1500: limit pcre backtracking, 0 = off { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>detection.pcre_match_limit_recursion</strong> = 1500: limit pcre stack consumption, 0 = off { 0:max32 }
</p>
</li>
<li>
<p>
bool <strong>detection.enable_address_anomaly_checks</strong> = false: enable check and alerting of address anomalies
</p>
</li>
<li>
<p>
int <strong>detection.trace</strong>: mask for enabling debug traces in module { 0:max53 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>detection.analyzed</strong>: total packets processed (now)
</p>
</li>
<li>
<p>
<strong>detection.hard_evals</strong>: non-fast pattern rule evaluations (sum)
</p>
</li>
<li>
<p>
<strong>detection.raw_searches</strong>: fast pattern searches in raw packet data (sum)
</p>
</li>
<li>
<p>
<strong>detection.cooked_searches</strong>: fast pattern searches in cooked packet data (sum)
</p>
</li>
<li>
<p>
<strong>detection.pkt_searches</strong>: fast pattern searches in packet data (sum)
</p>
</li>
<li>
<p>
<strong>detection.alt_searches</strong>: alt fast pattern searches in packet data (sum)
</p>
</li>
<li>
<p>
<strong>detection.key_searches</strong>: fast pattern searches in key buffer (sum)
</p>
</li>
<li>
<p>
<strong>detection.header_searches</strong>: fast pattern searches in header buffer (sum)
</p>
</li>
<li>
<p>
<strong>detection.body_searches</strong>: fast pattern searches in body buffer (sum)
</p>
</li>
<li>
<p>
<strong>detection.file_searches</strong>: fast pattern searches in file buffer (sum)
</p>
</li>
<li>
<p>
<strong>detection.offloads</strong>: fast pattern searches that were offloaded (sum)
</p>
</li>
<li>
<p>
<strong>detection.alerts</strong>: alerts not including IP reputation (sum)
</p>
</li>
<li>
<p>
<strong>detection.total_alerts</strong>: alerts including IP reputation (sum)
</p>
</li>
<li>
<p>
<strong>detection.logged</strong>: logged packets (sum)
</p>
</li>
<li>
<p>
<strong>detection.passed</strong>: passed packets (sum)
</p>
</li>
<li>
<p>
<strong>detection.match_limit</strong>: fast pattern matches not processed (sum)
</p>
</li>
<li>
<p>
<strong>detection.queue_limit</strong>: events not queued because queue full (sum)
</p>
</li>
<li>
<p>
<strong>detection.log_limit</strong>: events queued but not logged (sum)
</p>
</li>
<li>
<p>
<strong>detection.event_limit</strong>: events filtered (sum)
</p>
</li>
<li>
<p>
<strong>detection.alert_limit</strong>: events previously triggered on same PDU (sum)
</p>
</li>
<li>
<p>
<strong>detection.context_stalls</strong>: times processing stalled to wait for an available context (sum)
</p>
</li>
<li>
<p>
<strong>detection.offload_busy</strong>: times offload was not available (sum)
</p>
</li>
<li>
<p>
<strong>detection.onload_waits</strong>: times processing waited for onload to complete (sum)
</p>
</li>
<li>
<p>
<strong>detection.offload_fallback</strong>: fast pattern offload search fallback attempts (sum)
</p>
</li>
<li>
<p>
<strong>detection.offload_failures</strong>: fast pattern offload search failures (sum)
</p>
</li>
<li>
<p>
<strong>detection.offload_suspends</strong>: fast pattern search suspends due to offload context chains (sum)
</p>
</li>
<li>
<p>
<strong>detection.pcre_match_limit</strong>: total number of times pcre hit the match limit (sum)
</p>
</li>
<li>
<p>
<strong>detection.pcre_recursion_limit</strong>: total number of times pcre hit the recursion limit (sum)
</p>
</li>
<li>
<p>
<strong>detection.pcre_error</strong>: total number of times pcre returns error (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_event_filter">event_filter</h3>
<div class="paragraph"><p>What: configure thresholding of events</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong><code>event_filter[].gid</code></strong> = 1: rule generator ID { 0:max32 }
</p>
</li>
<li>
<p>
int <strong><code>event_filter[].sid</code></strong> = 1: rule signature ID { 0:max32 }
</p>
</li>
<li>
<p>
enum <strong><code>event_filter[].type</code></strong>: 1st count events | every count events | once after count events { limit | threshold | both }
</p>
</li>
<li>
<p>
enum <strong><code>event_filter[].track</code></strong>: filter only matching source or destination addresses { by_src | by_dst }
</p>
</li>
<li>
<p>
int <strong><code>event_filter[].count</code></strong> = 0: number of events in interval before tripping; -1 to disable { -1:max31 }
</p>
</li>
<li>
<p>
int <strong><code>event_filter[].seconds</code></strong> = 0: count interval { 0:max32 }
</p>
</li>
<li>
<p>
string <strong><code>event_filter[].ip</code></strong>: restrict filter to these addresses according to track
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>event_filter.no_memory_local</strong>: number of times event filter ran out of local memory (sum)
</p>
</li>
<li>
<p>
<strong>event_filter.no_memory_global</strong>: number of times event filter ran out of global memory (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_event_queue">event_queue</h3>
<div class="paragraph"><p>What: configure event queue parameters</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>event_queue.max_queue</strong> = 8: maximum events to queue { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>event_queue.log</strong> = 3: maximum events to log { 1:max32 }
</p>
</li>
<li>
<p>
enum <strong>event_queue.order_events</strong> = content_length: criteria for ordering incoming events { priority|content_length }
</p>
</li>
<li>
<p>
bool <strong>event_queue.process_all_events</strong> = false: process just first action group or all action groups
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_high_availability_2">high_availability</h3>
<div class="paragraph"><p>What: implement flow tracking high availability</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>high_availability.enable</strong> = false: enable high availability
</p>
</li>
<li>
<p>
bool <strong>high_availability.daq_channel</strong> = false: enable use of daq data plane channel
</p>
</li>
<li>
<p>
bit_list <strong>high_availability.ports</strong>: side channel message port list { 65535 }
</p>
</li>
<li>
<p>
int <strong>high_availability.min_age</strong> = 0: minimum session life in milliseconds before HA updates { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>high_availability.min_sync</strong> = 0: minimum interval in milliseconds between HA updates { 0:max32 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>high_availability.msgs_recv</strong>: total messages received (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.update_msgs_recv</strong>: update messages received (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.update_msgs_recv_no_flow</strong>: update messages received without a local flow (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.update_msgs_consumed</strong>: update messages fully consumed (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.delete_msgs_consumed</strong>: deletion messages consumed (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.daq_stores</strong>: states stored via daq (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.daq_imports</strong>: states imported via daq (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.msg_version_mismatch</strong>: messages received with a version mismatch (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.msg_length_mismatch</strong>: messages received with an inconsistent total length (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.truncated_msgs</strong>: truncated messages received (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.unknown_key_type</strong>: messages received with an unknown flow key type (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.unknown_client_idx</strong>: messages received with an unknown client index (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.client_consume_errors</strong>: client data consume failure count (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_host_cache">host_cache</h3>
<div class="paragraph"><p>What: global LRU cache of host_tracker data about hosts</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>host_cache.dump_file</strong>: file name to dump host cache on shutdown; won&#8217;t dump by default
</p>
</li>
<li>
<p>
int <strong>host_cache.memcap</strong> = 8388608: maximum host cache size in bytes { 512:max32 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Commands:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>host_cache.dump</strong>(file_name): dump host cache
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>host_cache.lru_cache_adds</strong>: lru cache added new entry (sum)
</p>
</li>
<li>
<p>
<strong>host_cache.lru_cache_prunes</strong>: lru cache pruned entry to make space for new entry (sum)
</p>
</li>
<li>
<p>
<strong>host_cache.lru_cache_find_hits</strong>: lru cache found entry in cache (sum)
</p>
</li>
<li>
<p>
<strong>host_cache.lru_cache_find_misses</strong>: lru cache did not find entry in cache (sum)
</p>
</li>
<li>
<p>
<strong>host_cache.lru_cache_removes</strong>: lru cache found entry and removed it (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_host_tracker">host_tracker</h3>
<div class="paragraph"><p>What: configure hosts</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
addr <strong><code>host_tracker[].ip</code></strong>: hosts address / cidr
</p>
</li>
<li>
<p>
port <strong><code>host_tracker[].services[].port</code></strong>: port number
</p>
</li>
<li>
<p>
enum <strong><code>host_tracker[].services[].proto</code></strong>: IP protocol { ip | tcp | udp }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>host_tracker.service_adds</strong>: host service adds (sum)
</p>
</li>
<li>
<p>
<strong>host_tracker.service_finds</strong>: host service finds (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_hosts">hosts</h3>
<div class="paragraph"><p>What: configure hosts</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
addr <strong><code>hosts[].ip</code></strong> = 0.0.0.0/32: hosts address / CIDR
</p>
</li>
<li>
<p>
enum <strong><code>hosts[].frag_policy</code></strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }
</p>
</li>
<li>
<p>
enum <strong><code>hosts[].tcp_policy</code></strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }
</p>
</li>
<li>
<p>
string <strong><code>hosts[].services[].name</code></strong>: service identifier
</p>
</li>
<li>
<p>
enum <strong><code>hosts[].services[].proto</code></strong> = tcp: IP protocol { tcp | udp }
</p>
</li>
<li>
<p>
port <strong><code>hosts[].services[].port</code></strong>: port number
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_inspection">inspection</h3>
<div class="paragraph"><p>What: configure basic inspection policy parameters</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>inspection.id</strong> = 0: correlate policy and events with other items in configuration { 0:65535 }
</p>
</li>
<li>
<p>
string <strong>inspection.uuid</strong>: correlate events by uuid
</p>
</li>
<li>
<p>
enum <strong>inspection.mode</strong> = inline-test: set policy mode { inline | inline-test }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ips">ips</h3>
<div class="paragraph"><p>What: configure IPS rule processing</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
enum <strong>ips.default_rule_state</strong> = inherit: enable or disable ips rules { no | yes | inherit }
</p>
</li>
<li>
<p>
bool <strong>ips.enable_builtin_rules</strong> = false: enable events from builtin rules w/o stubs
</p>
</li>
<li>
<p>
int <strong>ips.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }
</p>
</li>
<li>
<p>
string <strong>ips.include</strong>: snort rules and includes
</p>
</li>
<li>
<p>
string <strong>ips.includer</strong>: for internal use; where includes are included from { (optional) }
</p>
</li>
<li>
<p>
enum <strong>ips.mode</strong>: set policy mode { tap | inline | inline-test }
</p>
</li>
<li>
<p>
string <strong>ips.rules</strong>: snort rules and includes
</p>
</li>
<li>
<p>
bool <strong>ips.obfuscate_pii</strong> = false: mask all but the last 4 characters of credit card and social security numbers
</p>
</li>
<li>
<p>
string <strong>ips.uuid</strong> = 00000000-0000-0000-0000-000000000000: IPS policy uuid
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_latency">latency</h3>
<div class="paragraph"><p>What: packet and rule latency monitoring and control</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>latency.packet.max_time</strong> = 500: set timeout for packet latency thresholding (usec) { 0:max53 }
</p>
</li>
<li>
<p>
bool <strong>latency.packet.fastpath</strong> = false: fastpath expensive packets (max_time exceeded)
</p>
</li>
<li>
<p>
enum <strong>latency.packet.action</strong> = none: event action if packet times out and is fastpathed { none | alert | log | alert_and_log }
</p>
</li>
<li>
<p>
int <strong>latency.rule.max_time</strong> = 500: set timeout for rule evaluation (usec) { 0:max53 }
</p>
</li>
<li>
<p>
bool <strong>latency.rule.suspend</strong> = false: temporarily suspend expensive rules
</p>
</li>
<li>
<p>
int <strong>latency.rule.suspend_threshold</strong> = 5: set threshold for number of timeouts before suspending a rule { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>latency.rule.max_suspend_time</strong> = 30000: set max time for suspending a rule (ms, 0 means permanently disable rule) { 0:max32 }
</p>
</li>
<li>
<p>
enum <strong>latency.rule.action</strong> = none: event action for rule latency enable and suspend events { none | alert | log | alert_and_log }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>134:1</strong> (latency) rule tree suspended due to latency
</p>
</li>
<li>
<p>
<strong>134:2</strong> (latency) rule tree re-enabled after suspend timeout
</p>
</li>
<li>
<p>
<strong>134:3</strong> (latency) packet fastpathed due to latency
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>latency.total_packets</strong>: total packets monitored (sum)
</p>
</li>
<li>
<p>
<strong>latency.total_usecs</strong>: total usecs elapsed (sum)
</p>
</li>
<li>
<p>
<strong>latency.max_usecs</strong>: maximum usecs elapsed (sum)
</p>
</li>
<li>
<p>
<strong>latency.packet_timeouts</strong>: packets that timed out (sum)
</p>
</li>
<li>
<p>
<strong>latency.total_rule_evals</strong>: total rule evals monitored (sum)
</p>
</li>
<li>
<p>
<strong>latency.rule_eval_timeouts</strong>: rule evals that timed out (sum)
</p>
</li>
<li>
<p>
<strong>latency.rule_tree_enables</strong>: rule tree re-enables (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_memory">memory</h3>
<div class="paragraph"><p>What: memory management configuration</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>memory.cap</strong> = 0: set the per-packet-thread cap on memory (bytes, 0 to disable) { 0:maxSZ }
</p>
</li>
<li>
<p>
int <strong>memory.threshold</strong> = 0: set the per-packet-thread threshold for preemptive cleanup actions (percent, 0 to disable) { 0:100 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>memory.allocations</strong>: total number of allocations (now)
</p>
</li>
<li>
<p>
<strong>memory.deallocations</strong>: total number of deallocations (now)
</p>
</li>
<li>
<p>
<strong>memory.allocated</strong>: total amount of memory allocated (now)
</p>
</li>
<li>
<p>
<strong>memory.deallocated</strong>: total amount of memory allocated (now)
</p>
</li>
<li>
<p>
<strong>memory.reap_attempts</strong>: attempts to reclaim memory (now)
</p>
</li>
<li>
<p>
<strong>memory.reap_failures</strong>: failures to reclaim memory (now)
</p>
</li>
<li>
<p>
<strong>memory.max_in_use</strong>: highest allocated - deallocated (max)
</p>
</li>
<li>
<p>
<strong>memory.total_fudge</strong>: sum of all adjustments (now)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_network">network</h3>
<div class="paragraph"><p>What: configure basic network parameters</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
multi <strong>network.checksum_drop</strong> = none: drop if checksum is bad { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
</p>
</li>
<li>
<p>
multi <strong>network.checksum_eval</strong> = all: checksums to verify { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
</p>
</li>
<li>
<p>
bool <strong>network.decode_drops</strong> = false: enable dropping of packets by the decoder
</p>
</li>
<li>
<p>
int <strong>network.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>network.min_ttl</strong> = 1: alert / normalize packets with lower TTL / hop limit (you must enable rules and / or normalization also) { 1:255 }
</p>
</li>
<li>
<p>
int <strong>network.new_ttl</strong> = 1: use this value for responses and when normalizing { 1:255 }
</p>
</li>
<li>
<p>
int <strong>network.layers</strong> = 40: the maximum number of protocols that Snort can correctly decode { 3:255 }
</p>
</li>
<li>
<p>
int <strong>network.max_ip6_extensions</strong> = 0: the maximum number of IP6 options Snort will process for a given IPv6 layer before raising 116:456 (0 = unlimited) { 0:255 }
</p>
</li>
<li>
<p>
int <strong>network.max_ip_layers</strong> = 0: the maximum number of IP layers Snort will process for a given packet before raising 116:293 (0 = unlimited) { 0:255 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_output_2">output</h3>
<div class="paragraph"><p>What: configure general output parameters</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>output.dump_chars_only</strong> = false: turns on character dumps (same as -C)
</p>
</li>
<li>
<p>
bool <strong>output.dump_payload</strong> = false: dumps application layer (same as -d)
</p>
</li>
<li>
<p>
bool <strong>output.dump_payload_verbose</strong> = false: dumps raw packet starting at link layer (same as -X)
</p>
</li>
<li>
<p>
int <strong>output.event_trace.max_data</strong> = 0: maximum amount of packet data to capture { 0:65535 }
</p>
</li>
<li>
<p>
bool <strong>output.quiet</strong> = false: suppress non-fatal information (still show alerts, same as -q)
</p>
</li>
<li>
<p>
string <strong>output.logdir</strong> = .: where to put log files (same as -l)
</p>
</li>
<li>
<p>
bool <strong>output.show_year</strong> = false: include year in timestamp in the alert and log files (same as -y)
</p>
</li>
<li>
<p>
int <strong>output.tagged_packet_limit</strong> = 256: maximum number of packets tagged for non-packet metrics { 0:max32 }
</p>
</li>
<li>
<p>
bool <strong>output.verbose</strong> = false: be verbose (same as -v)
</p>
</li>
<li>
<p>
bool <strong>output.obfuscate</strong> = false: obfuscate the logged IP addresses (same as -O)
</p>
</li>
<li>
<p>
bool <strong>output.wide_hex_dump</strong> = false: output 20 bytes per lines instead of 16 when dumping buffers
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_packet_tracer">packet_tracer</h3>
<div class="paragraph"><p>What: generate debug trace messages for packets</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>packet_tracer.enable</strong> = false: enable summary output of state that determined packet verdict
</p>
</li>
<li>
<p>
enum <strong>packet_tracer.output</strong> = console: select where to send packet trace { console | file }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Commands:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>packet_tracer.enable</strong>(proto, src_ip, src_port, dst_ip, dst_port): enable packet tracer debugging
</p>
</li>
<li>
<p>
<strong>packet_tracer.disable</strong>(): disable packet tracer
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_packets">packets</h3>
<div class="paragraph"><p>What: configure basic packet handling</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>packets.address_space_agnostic</strong> = false: determines whether DAQ address space info is used to track fragments and connections
</p>
</li>
<li>
<p>
string <strong>packets.bpf_file</strong>: file with BPF to select traffic for Snort
</p>
</li>
<li>
<p>
int <strong>packets.limit</strong> = 0: maximum number of packets to process before stopping (0 is unlimited) { 0:max53 }
</p>
</li>
<li>
<p>
int <strong>packets.skip</strong> = 0: number of packets to skip before before processing { 0:max53 }
</p>
</li>
<li>
<p>
bool <strong>packets.vlan_agnostic</strong> = false: determines whether VLAN info is used to track fragments and connections
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_process">process</h3>
<div class="paragraph"><p>What: configure basic process setup</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>process.chroot</strong>: set chroot directory (same as -t)
</p>
</li>
<li>
<p>
string <strong><code>process.threads[].cpuset</code></strong>: pin the associated thread to this cpuset
</p>
</li>
<li>
<p>
int <strong><code>process.threads[].thread</code></strong> = 0: set cpu affinity for the &lt;cur_thread_num&gt; thread that runs { 0:65535 }
</p>
</li>
<li>
<p>
bool <strong>process.daemon</strong> = false: fork as a daemon (same as -D)
</p>
</li>
<li>
<p>
bool <strong>process.dirty_pig</strong> = false: shutdown without internal cleanup
</p>
</li>
<li>
<p>
string <strong>process.set_gid</strong>: set group ID (same as -g)
</p>
</li>
<li>
<p>
string <strong>process.set_uid</strong>: set user ID (same as -u)
</p>
</li>
<li>
<p>
int <strong>process.umask</strong>: set process umask (same as -m) { 0x000:0x1FF }
</p>
</li>
<li>
<p>
bool <strong>process.utc</strong> = false: use UTC instead of local time for timestamps
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_profiler">profiler</h3>
<div class="paragraph"><p>What: configure profiling of rules and/or modules</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>profiler.modules.show</strong> = true: show module time profile stats
</p>
</li>
<li>
<p>
int <strong>profiler.modules.count</strong> = 0: limit results to count items per level (0 = no limit) { 0:max32 }
</p>
</li>
<li>
<p>
enum <strong>profiler.modules.sort</strong> = total_time: sort by given field { none | checks | avg_check | total_time  }
</p>
</li>
<li>
<p>
int <strong>profiler.modules.max_depth</strong> = -1: limit depth to max_depth (-1 = no limit) { -1:255 }
</p>
</li>
<li>
<p>
bool <strong>profiler.memory.show</strong> = true: show module memory profile stats
</p>
</li>
<li>
<p>
int <strong>profiler.memory.count</strong> = 0: limit results to count items per level (0 = no limit) { 0:max32 }
</p>
</li>
<li>
<p>
enum <strong>profiler.memory.sort</strong> = total_used: sort by given field { none | allocations | total_used | avg_allocation  }
</p>
</li>
<li>
<p>
int <strong>profiler.memory.max_depth</strong> = -1: limit depth to max_depth (-1 = no limit) { -1:255 }
</p>
</li>
<li>
<p>
bool <strong>profiler.rules.show</strong> = true: show rule time profile stats
</p>
</li>
<li>
<p>
int <strong>profiler.rules.count</strong> = 0: print results to given level (0 = all) { 0:max32 }
</p>
</li>
<li>
<p>
enum <strong>profiler.rules.sort</strong> = total_time: sort by given field { none | checks | avg_check | total_time | matches | no_matches | avg_match | avg_no_match }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_rate_filter">rate_filter</h3>
<div class="paragraph"><p>What: configure rate filters (which change rule actions)</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong><code>rate_filter[].gid</code></strong> = 1: rule generator ID { 0:max32 }
</p>
</li>
<li>
<p>
int <strong><code>rate_filter[].sid</code></strong> = 1: rule signature ID { 0:max32 }
</p>
</li>
<li>
<p>
enum <strong><code>rate_filter[].track</code></strong> = by_src: filter only matching source or destination addresses { by_src | by_dst | by_rule }
</p>
</li>
<li>
<p>
int <strong><code>rate_filter[].count</code></strong> = 1: number of events in interval before tripping { 0:max32 }
</p>
</li>
<li>
<p>
int <strong><code>rate_filter[].seconds</code></strong> = 1: count interval { 0:max32 }
</p>
</li>
<li>
<p>
enum <strong><code>rate_filter[].new_action</code></strong> = alert: take this action on future hits until timeout { log | pass | alert | drop | block | reset }
</p>
</li>
<li>
<p>
int <strong><code>rate_filter[].timeout</code></strong> = 1: count interval { 0:max32 }
</p>
</li>
<li>
<p>
string <strong><code>rate_filter[].apply_to</code></strong>: restrict filter to these addresses according to track
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>rate_filter.no_memory</strong>: number of times rate filter ran out of memory (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_references">references</h3>
<div class="paragraph"><p>What: define reference systems used in rules</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong><code>references[].name</code></strong>: name used with reference rule option
</p>
</li>
<li>
<p>
string <strong><code>references[].url</code></strong>: where this reference is defined
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_rule_state">rule_state</h3>
<div class="paragraph"><p>What: enable/disable and set actions for specific IPS rules</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
enum <strong><code>rule_state.$gid_sid[].action</code></strong> = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | inherit }
</p>
</li>
<li>
<p>
enum <strong><code>rule_state.$gid_sid[].enable</code></strong> = inherit: enable or disable rule in current ips policy or use default defined by ips policy { no | yes | inherit }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_search_engine">search_engine</h3>
<div class="paragraph"><p>What: configure fast pattern matcher</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>search_engine.bleedover_port_limit</strong> = 1024: maximum ports in rule before demotion to any-any port group { 1:max32 }
</p>
</li>
<li>
<p>
bool <strong>search_engine.bleedover_warnings_enabled</strong> = false: print warning if a rule is demoted to any-any port group
</p>
</li>
<li>
<p>
bool <strong>search_engine.enable_single_rule_group</strong> = false: put all rules into one group
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug</strong> = false: print verbose fast pattern info
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug_print_nocontent_rule_tests</strong> = false: print rule group info during packet evaluation
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug_print_rule_group_build_details</strong> = false: print rule group info during compilation
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug_print_rule_groups_uncompiled</strong> = false: prints uncompiled rule group information
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug_print_rule_groups_compiled</strong> = false: prints compiled rule group information
</p>
</li>
<li>
<p>
int <strong>search_engine.max_pattern_len</strong> = 0: truncate patterns when compiling into state machine (0 means no maximum) { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>search_engine.max_queue_events</strong> = 5: maximum number of matching fast pattern states to queue per packet { 2:100 }
</p>
</li>
<li>
<p>
bool <strong>search_engine.detect_raw_tcp</strong> = false: detect on TCP payload before reassembly
</p>
</li>
<li>
<p>
dynamic <strong>search_engine.search_method</strong> = ac_bnfa: set fast pattern algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan | lowmem }
</p>
</li>
<li>
<p>
dynamic <strong>search_engine.offload_search_method</strong>: set fast pattern offload algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan | lowmem }
</p>
</li>
<li>
<p>
bool <strong>search_engine.search_optimize</strong> = true: tweak state machine construction for better performance
</p>
</li>
<li>
<p>
bool <strong>search_engine.show_fast_patterns</strong> = false: print fast pattern info for each rule
</p>
</li>
<li>
<p>
bool <strong>search_engine.split_any_any</strong> = true: evaluate any-any rules separately to save memory
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>search_engine.max_queued</strong>: maximum fast pattern matches queued for further evaluation (sum)
</p>
</li>
<li>
<p>
<strong>search_engine.total_flushed</strong>: fast pattern matches discarded due to overflow (sum)
</p>
</li>
<li>
<p>
<strong>search_engine.total_inserts</strong>: total fast pattern hits (sum)
</p>
</li>
<li>
<p>
<strong>search_engine.total_unique</strong>: total unique fast pattern hits (sum)
</p>
</li>
<li>
<p>
<strong>search_engine.non_qualified_events</strong>: total non-qualified events (sum)
</p>
</li>
<li>
<p>
<strong>search_engine.qualified_events</strong>: total qualified events (sum)
</p>
</li>
<li>
<p>
<strong>search_engine.searched_bytes</strong>: total bytes searched (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_side_channel_2">side_channel</h3>
<div class="paragraph"><p>What: implement the side-channel asynchronous messaging subsystem</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bit_list <strong>side_channel.ports</strong>: side channel message port list { 65535 }
</p>
</li>
<li>
<p>
string <strong><code>side_channel.connectors[].connector</code></strong>: connector handle
</p>
</li>
<li>
<p>
string <strong>side_channel.connector</strong>: connector handle
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>side_channel.packets</strong>: total packets (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_snort">snort</h3>
<div class="paragraph"><p>What: command line configuration and shell commands</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>snort.-?</strong>: &lt;option prefix&gt; output matching command line option quick help (same as --help-options) { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.-A</strong>: &lt;mode&gt; set alert mode: none, cmg, or alert_*
</p>
</li>
<li>
<p>
addr <strong>snort.-B</strong> = 255.255.255.255/32: &lt;mask&gt; obfuscated IP addresses in alerts and packet dumps using CIDR mask
</p>
</li>
<li>
<p>
implied <strong>snort.-C</strong>: print out payloads with character data only (no hex)
</p>
</li>
<li>
<p>
string <strong>snort.-c</strong>: &lt;conf&gt; use this configuration
</p>
</li>
<li>
<p>
implied <strong>snort.-D</strong>: run Snort in background (daemon) mode
</p>
</li>
<li>
<p>
implied <strong>snort.-d</strong>: dump the Application Layer
</p>
</li>
<li>
<p>
implied <strong>snort.-e</strong>: display the second layer header info
</p>
</li>
<li>
<p>
implied <strong>snort.-f</strong>: turn off fflush() calls after binary log writes
</p>
</li>
<li>
<p>
int <strong>snort.-G</strong>: &lt;0xid&gt; (same as --logid) { 0:65535 }
</p>
</li>
<li>
<p>
string <strong>snort.-g</strong>: &lt;gname&gt; run snort gid as &lt;gname&gt; group (or gid) after initialization
</p>
</li>
<li>
<p>
implied <strong>snort.-H</strong>: make hash tables deterministic
</p>
</li>
<li>
<p>
string <strong>snort.-i</strong>: &lt;iface&gt;&#8230; list of interfaces
</p>
</li>
<li>
<p>
port <strong>snort.-j</strong>: &lt;port&gt; to listen for Telnet connections
</p>
</li>
<li>
<p>
enum <strong>snort.-k</strong> = all: &lt;mode&gt; checksum mode; default is all { all|noip|notcp|noudp|noicmp|none }
</p>
</li>
<li>
<p>
string <strong>snort.-L</strong>: &lt;mode&gt; logging mode (none, dump, pcap, or log_*)
</p>
</li>
<li>
<p>
string <strong>snort.-l</strong>: &lt;logdir&gt; log to this directory instead of current directory
</p>
</li>
<li>
<p>
implied <strong>snort.-M</strong>: log messages to syslog (not alerts)
</p>
</li>
<li>
<p>
int <strong>snort.-m</strong>: &lt;umask&gt; set the process file mode creation mask { 0x000:0x1FF }
</p>
</li>
<li>
<p>
int <strong>snort.-n</strong>: &lt;count&gt; stop after count packets { 0:max53 }
</p>
</li>
<li>
<p>
implied <strong>snort.-O</strong>: obfuscate the logged IP addresses
</p>
</li>
<li>
<p>
implied <strong>snort.-Q</strong>: enable inline mode operation
</p>
</li>
<li>
<p>
implied <strong>snort.-q</strong>: quiet mode - Don&#8217;t show banner and status report
</p>
</li>
<li>
<p>
string <strong>snort.-R</strong>: &lt;rules&gt; include this rules file in the default policy
</p>
</li>
<li>
<p>
string <strong>snort.-r</strong>: &lt;pcap&gt;&#8230; (same as --pcap-list)
</p>
</li>
<li>
<p>
string <strong>snort.-S</strong>: &lt;x=v&gt; set config variable x equal to value v
</p>
</li>
<li>
<p>
int <strong>snort.-s</strong> = 1518: &lt;snap&gt; (same as --snaplen); default is 1518 { 68:65535 }
</p>
</li>
<li>
<p>
implied <strong>snort.-T</strong>: test and report on the current Snort configuration
</p>
</li>
<li>
<p>
string <strong>snort.-t</strong>: &lt;dir&gt; chroots process to &lt;dir&gt; after initialization
</p>
</li>
<li>
<p>
implied <strong>snort.-U</strong>: use UTC for timestamps
</p>
</li>
<li>
<p>
string <strong>snort.-u</strong>: &lt;uname&gt; run snort as &lt;uname&gt; or &lt;uid&gt; after initialization
</p>
</li>
<li>
<p>
implied <strong>snort.-V</strong>: (same as --version)
</p>
</li>
<li>
<p>
implied <strong>snort.-v</strong>: be verbose
</p>
</li>
<li>
<p>
implied <strong>snort.-X</strong>: dump the raw packet data starting at the link layer
</p>
</li>
<li>
<p>
implied <strong>snort.-x</strong>: same as --pedantic
</p>
</li>
<li>
<p>
implied <strong>snort.-y</strong>: include year in timestamp in the alert and log files
</p>
</li>
<li>
<p>
int <strong>snort.-z</strong>: &lt;count&gt; maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 { 0:max32 }
</p>
</li>
<li>
<p>
implied <strong>snort.--alert-before-pass</strong>: evaluate alert rules before pass rules; default is pass rules first
</p>
</li>
<li>
<p>
string <strong>snort.--bpf</strong>: &lt;filter options&gt; are standard BPF options, as seen in TCPDump
</p>
</li>
<li>
<p>
string <strong>snort.--c2x</strong>: output hex for given char (see also --x2c)
</p>
</li>
<li>
<p>
string <strong>snort.--control-socket</strong>: &lt;file&gt; to create unix socket
</p>
</li>
<li>
<p>
implied <strong>snort.--create-pidfile</strong>: create PID file, even when not in Daemon mode
</p>
</li>
<li>
<p>
string <strong>snort.--daq</strong>: &lt;type&gt; select packet acquisition module (default is pcap)
</p>
</li>
<li>
<p>
int <strong>snort.--daq-batch-size</strong> = 64: &lt;size&gt; set the DAQ receive batch size { 1: }
</p>
</li>
<li>
<p>
string <strong>snort.--daq-dir</strong>: &lt;dir&gt; tell snort where to find desired DAQ
</p>
</li>
<li>
<p>
implied <strong>snort.--daq-list</strong>: list packet acquisition modules available in optional dir, default is static modules only
</p>
</li>
<li>
<p>
enum <strong>snort.--daq-mode</strong>: &lt;mode&gt; select DAQ module operating mode (overrides automatic selection) { passive | inline | read-file }
</p>
</li>
<li>
<p>
string <strong>snort.--daq-var</strong>: &lt;name=value&gt; specify extra DAQ configuration variable
</p>
</li>
<li>
<p>
implied <strong>snort.--dirty-pig</strong>: don&#8217;t flush packets on shutdown
</p>
</li>
<li>
<p>
string <strong>snort.--dump-builtin-rules</strong>: [&lt;module prefix&gt;] output stub rules for selected modules { (optional) }
</p>
</li>
<li>
<p>
implied <strong>snort.--dump-dynamic-rules</strong>: output stub rules for all loaded rules libraries
</p>
</li>
<li>
<p>
string <strong>snort.--dump-defaults</strong>: [&lt;module prefix&gt;] output module defaults in Lua format { (optional) }
</p>
</li>
<li>
<p>
implied <strong>snort.--dump-version</strong>: output the version, the whole version, and only the version
</p>
</li>
<li>
<p>
implied <strong>snort.--enable-inline-test</strong>: enable Inline-Test Mode Operation
</p>
</li>
<li>
<p>
implied <strong>snort.--gen-msg-map</strong>: dump builtin rules in gen-msg.map format for use by other tools
</p>
</li>
<li>
<p>
implied <strong>snort.--help</strong>: list command line options
</p>
</li>
<li>
<p>
string <strong>snort.--help-commands</strong>: [&lt;module prefix&gt;] output matching commands { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.--help-config</strong>: [&lt;module prefix&gt;] output matching config options { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.--help-counts</strong>: [&lt;module prefix&gt;] output matching peg counts { (optional) }
</p>
</li>
<li>
<p>
implied <strong>snort.--help-limits</strong>: print the int upper bounds denoted by max*
</p>
</li>
<li>
<p>
string <strong>snort.--help-module</strong>: &lt;module&gt; output description of given module
</p>
</li>
<li>
<p>
implied <strong>snort.--help-modules</strong>: list all available modules with brief help
</p>
</li>
<li>
<p>
string <strong>snort.--help-options</strong>: [&lt;option prefix&gt;] output matching command line option quick help (same as -?) { (optional) }
</p>
</li>
<li>
<p>
implied <strong>snort.--help-plugins</strong>: list all available plugins with brief help
</p>
</li>
<li>
<p>
implied <strong>snort.--help-signals</strong>: dump available control signals
</p>
</li>
<li>
<p>
int <strong>snort.--id-offset</strong> = 0: offset to add to instance IDs when logging to files { 0:65535 }
</p>
</li>
<li>
<p>
implied <strong>snort.--id-subdir</strong>: create/use instance subdirectories in logdir instead of instance filename prefix
</p>
</li>
<li>
<p>
implied <strong>snort.--id-zero</strong>: use id prefix / subdirectory even with one packet thread
</p>
</li>
<li>
<p>
string <strong>snort.--include-path</strong>: &lt;path&gt; where to find Lua and rule included files; searched before current or config directories
</p>
</li>
<li>
<p>
implied <strong>snort.--list-buffers</strong>: output available inspection buffers
</p>
</li>
<li>
<p>
string <strong>snort.--list-builtin</strong>: [&lt;module prefix&gt;] output matching builtin rules { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.--list-gids</strong>: [&lt;module prefix&gt;] output matching generators { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.--list-modules</strong>: [&lt;module type&gt;] list all known modules of given type { (optional) }
</p>
</li>
<li>
<p>
implied <strong>snort.--list-plugins</strong>: list all known plugins
</p>
</li>
<li>
<p>
string <strong>snort.--lua</strong>: &lt;chunk&gt; extend/override conf with chunk; may be repeated
</p>
</li>
<li>
<p>
int <strong>snort.--logid</strong>: &lt;0xid&gt; log Identifier to uniquely id events for multiple snorts (same as -G) { 0:65535 }
</p>
</li>
<li>
<p>
implied <strong>snort.--markup</strong>: output help in asciidoc compatible format
</p>
</li>
<li>
<p>
int <strong>snort.--max-packet-threads</strong>: &lt;count&gt; configure maximum number of packet threads (same as -z) { 0:max32 }
</p>
</li>
<li>
<p>
implied <strong>snort.--mem-check</strong>: like -T but also compile search engines
</p>
</li>
<li>
<p>
implied <strong>snort.--nostamps</strong>: don&#8217;t include timestamps in log file names
</p>
</li>
<li>
<p>
implied <strong>snort.--nolock-pidfile</strong>: do not try to lock Snort PID file
</p>
</li>
<li>
<p>
implied <strong>snort.--pause</strong>: wait for resume/quit command before processing packets/terminating
</p>
</li>
<li>
<p>
string <strong>snort.--pcap-file</strong>: &lt;file&gt; file that contains a list of pcaps to read - read mode is implied
</p>
</li>
<li>
<p>
string <strong>snort.--pcap-list</strong>: &lt;list&gt; a space separated list of pcaps to read - read mode is implied
</p>
</li>
<li>
<p>
string <strong>snort.--pcap-dir</strong>: &lt;dir&gt; a directory to recurse to look for pcaps - read mode is implied
</p>
</li>
<li>
<p>
string <strong>snort.--pcap-filter</strong> = <strong>.*cap</strong>: &lt;filter&gt; filter to apply when getting pcaps from file or directory
</p>
</li>
<li>
<p>
int <strong>snort.--pcap-loop</strong>: &lt;count&gt; read all pcaps &lt;count&gt; times;  0 will read until Snort is terminated { 0:max32 }
</p>
</li>
<li>
<p>
implied <strong>snort.--pcap-no-filter</strong>: reset to use no filter when getting pcaps from file or directory
</p>
</li>
<li>
<p>
implied <strong>snort.--pcap-reload</strong>: if reading multiple pcaps, reload snort config between pcaps
</p>
</li>
<li>
<p>
implied <strong>snort.--pcap-show</strong>: print a line saying what pcap is currently being read
</p>
</li>
<li>
<p>
implied <strong>snort.--pedantic</strong>: warnings are fatal
</p>
</li>
<li>
<p>
string <strong>snort.--plugin-path</strong>: &lt;path&gt; where to find plugins
</p>
</li>
<li>
<p>
implied <strong>snort.--process-all-events</strong>: process all action groups
</p>
</li>
<li>
<p>
string <strong>snort.--rule</strong>: &lt;rules&gt; to be added to configuration; may be repeated
</p>
</li>
<li>
<p>
string <strong>snort.--rule-path</strong>: &lt;path&gt; where to find rules files
</p>
</li>
<li>
<p>
implied <strong>snort.--rule-to-hex</strong>: output so rule header to stdout for text rule on stdin
</p>
</li>
<li>
<p>
string <strong>snort.--rule-to-text</strong>: output plain so rule header to stdout for text rule on stdin (specify delimiter or [Snort_SO_Rule] will be used) { 16 }
</p>
</li>
<li>
<p>
string <strong>snort.--run-prefix</strong>: &lt;pfx&gt; prepend this to each output file
</p>
</li>
<li>
<p>
string <strong>snort.--script-path</strong>: &lt;path&gt; to a luajit script or directory containing luajit scripts
</p>
</li>
<li>
<p>
implied <strong>snort.--shell</strong>: enable the interactive command line
</p>
</li>
<li>
<p>
implied <strong>snort.--show-file-codes</strong>: indicate how files are located: A=absolute and W, F, C which are relative to the working directory, including file, and config file respectively
</p>
</li>
<li>
<p>
implied <strong>snort.--show-plugins</strong>: list module and plugin versions
</p>
</li>
<li>
<p>
int <strong>snort.--skip</strong>: &lt;n&gt; skip 1st n packets { 0:max53 }
</p>
</li>
<li>
<p>
int <strong>snort.--snaplen</strong> = 1518: &lt;snap&gt; set snaplen of packet (same as -s) { 68:65535 }
</p>
</li>
<li>
<p>
implied <strong>snort.--stdin-rules</strong>: read rules from stdin until EOF or a line starting with END is read
</p>
</li>
<li>
<p>
implied <strong>snort.--talos</strong>: enable Talos tweak (same as --tweaks talos)
</p>
</li>
<li>
<p>
implied <strong>snort.--treat-drop-as-alert</strong>: converts drop, block, and reset rules into alert rules when loaded
</p>
</li>
<li>
<p>
implied <strong>snort.--treat-drop-as-ignore</strong>: use drop, block, and reset rules to ignore session traffic when not inline
</p>
</li>
<li>
<p>
string <strong>snort.--tweaks</strong>: tune configuration
</p>
</li>
<li>
<p>
implied <strong>snort.--version</strong>: show version number (same as -V)
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-all</strong>: enable all warnings
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-conf</strong>: warn about configuration issues
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-daq</strong>: warn about DAQ issues, usually related to mode
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-flowbits</strong>: warn about flowbits that are checked but not set and vice-versa
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-hosts</strong>: warn about host table issues
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-plugins</strong>: warn about issues that prevent plugins from loading
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-rules</strong>: warn about duplicate rules and rule parsing issues
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-scripts</strong>: warn about issues discovered while processing Lua scripts
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-symbols</strong>: warn about unknown symbols in your Lua config
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-vars</strong>: warn about variable definition and usage issues
</p>
</li>
<li>
<p>
int <strong>snort.--x2c</strong>: output ASCII char for given hex (see also --c2x) { 0x00:0xFF }
</p>
</li>
<li>
<p>
string <strong>snort.--x2s</strong>: output ASCII string for given byte code (see also --x2c)
</p>
</li>
<li>
<p>
implied <strong>snort.--trace</strong>: turn on main loop debug trace
</p>
</li>
<li>
<p>
int <strong>snort.trace</strong>: mask for enabling debug traces in module { 0:max53 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Commands:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>snort.show_plugins</strong>(): show available plugins
</p>
</li>
<li>
<p>
<strong>snort.delete_inspector</strong>(inspector): delete an inspector from the default policy
</p>
</li>
<li>
<p>
<strong>snort.dump_stats</strong>(): show summary statistics
</p>
</li>
<li>
<p>
<strong>snort.rotate_stats</strong>(): roll perfmonitor log files
</p>
</li>
<li>
<p>
<strong>snort.reload_config</strong>(filename): load new configuration
</p>
</li>
<li>
<p>
<strong>snort.reload_policy</strong>(filename): reload part or all of the default policy
</p>
</li>
<li>
<p>
<strong>snort.reload_module</strong>(module): reload module
</p>
</li>
<li>
<p>
<strong>snort.reload_daq</strong>(): reload daq module
</p>
</li>
<li>
<p>
<strong>snort.reload_hosts</strong>(filename): load a new hosts table
</p>
</li>
<li>
<p>
<strong>snort.pause</strong>(): suspend packet processing
</p>
</li>
<li>
<p>
<strong>snort.resume</strong>(pkt_num): continue packet processing. If number of packet is specified, will resume for n packets and pause
</p>
</li>
<li>
<p>
<strong>snort.detach</strong>(): exit shell w/o shutdown
</p>
</li>
<li>
<p>
<strong>snort.quit</strong>(): shutdown and dump-stats
</p>
</li>
<li>
<p>
<strong>snort.help</strong>(): this output
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>snort.local_commands</strong>: total local commands processed (sum)
</p>
</li>
<li>
<p>
<strong>snort.remote_commands</strong>: total remote commands processed (sum)
</p>
</li>
<li>
<p>
<strong>snort.signals</strong>: total signals processed (sum)
</p>
</li>
<li>
<p>
<strong>snort.conf_reloads</strong>: number of times configuration was reloaded (sum)
</p>
</li>
<li>
<p>
<strong>snort.policy_reloads</strong>: number of times policies were reloaded (sum)
</p>
</li>
<li>
<p>
<strong>snort.inspector_deletions</strong>: number of times inspectors were deleted (sum)
</p>
</li>
<li>
<p>
<strong>snort.daq_reloads</strong>: number of times daq configuration was reloaded (sum)
</p>
</li>
<li>
<p>
<strong>snort.attribute_table_reloads</strong>: number of times hosts table was reloaded (sum)
</p>
</li>
<li>
<p>
<strong>snort.attribute_table_hosts</strong>: total number of hosts in table (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_suppress">suppress</h3>
<div class="paragraph"><p>What: configure event suppressions</p></div>
<div class="paragraph"><p>Type: basic</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong><code>suppress[].gid</code></strong> = 0: rule generator ID { 0:max32 }
</p>
</li>
<li>
<p>
int <strong><code>suppress[].sid</code></strong> = 0: rule signature ID { 0:max32 }
</p>
</li>
<li>
<p>
enum <strong><code>suppress[].track</code></strong>: suppress only matching source or destination addresses { by_src | by_dst }
</p>
</li>
<li>
<p>
string <strong><code>suppress[].ip</code></strong>: restrict suppression to these addresses according to track
</p>
</li>
</ul></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_codec_modules">Codec Modules</h2>
<div class="sectionbody">
<div class="paragraph"><p>Codec is short for coder / decoder.  These modules are used for basic
protocol decoding, anomaly detection, and construction of active responses.</p></div>
<div class="sect2">
<h3 id="_arp">arp</h3>
<div class="paragraph"><p>What: support for address resolution protocol</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:109</strong> (arp) truncated ARP
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_auth">auth</h3>
<div class="paragraph"><p>What: support for IP authentication header</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:465</strong> (auth) truncated authentication header
</p>
</li>
<li>
<p>
<strong>116:466</strong> (auth) bad authentication header length
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ciscometadata">ciscometadata</h3>
<div class="paragraph"><p>What: support for cisco metadata</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:468</strong> (ciscometadata) truncated Cisco Metadata header
</p>
</li>
<li>
<p>
<strong>116:469</strong> (ciscometadata) invalid Cisco Metadata option length
</p>
</li>
<li>
<p>
<strong>116:470</strong> (ciscometadata) invalid Cisco Metadata option type
</p>
</li>
<li>
<p>
<strong>116:471</strong> (ciscometadata) invalid Cisco Metadata SGT
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_eapol">eapol</h3>
<div class="paragraph"><p>What: support for extensible authentication protocol over LAN</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:110</strong> (eapol) truncated EAP header
</p>
</li>
<li>
<p>
<strong>116:111</strong> (eapol) EAP key truncated
</p>
</li>
<li>
<p>
<strong>116:112</strong> (eapol) EAP header truncated
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_erspan2">erspan2</h3>
<div class="paragraph"><p>What: support for encapsulated remote switched port analyzer - type 2</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:462</strong> (erspan2) ERSpan header version mismatch
</p>
</li>
<li>
<p>
<strong>116:463</strong> (erspan2) captured length &lt; ERSpan type2 header length
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_erspan3">erspan3</h3>
<div class="paragraph"><p>What: support for encapsulated remote switched port analyzer - type 3</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:464</strong> (erspan3) captured &lt; ERSpan type3 header length
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_esp">esp</h3>
<div class="paragraph"><p>What: support for encapsulating security payload</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>esp.decode_esp</strong> = false: enable for inspection of esp traffic that has authentication but not encryption
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:294</strong> (esp) truncated encapsulated security payload header
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_eth">eth</h3>
<div class="paragraph"><p>What: support for ethernet protocol (DLT 1) (DLT 51)</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:424</strong> (eth) truncated ethernet header
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_fabricpath">fabricpath</h3>
<div class="paragraph"><p>What: support for fabricpath</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:467</strong> (fabricpath) truncated FabricPath header
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_gre">gre</h3>
<div class="paragraph"><p>What: support for generic routing encapsulation</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:160</strong> (gre) GRE header length &gt; payload length
</p>
</li>
<li>
<p>
<strong>116:161</strong> (gre) multiple encapsulations in packet
</p>
</li>
<li>
<p>
<strong>116:162</strong> (gre) invalid GRE version
</p>
</li>
<li>
<p>
<strong>116:163</strong> (gre) invalid GRE header
</p>
</li>
<li>
<p>
<strong>116:164</strong> (gre) invalid GRE v.1 PPTP header
</p>
</li>
<li>
<p>
<strong>116:165</strong> (gre) GRE trans header length &gt; payload length
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_gtp">gtp</h3>
<div class="paragraph"><p>What: support for general-packet-radio-service tunneling protocol</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:297</strong> (gtp) two or more GTP encapsulation layers present
</p>
</li>
<li>
<p>
<strong>116:298</strong> (gtp) GTP header length is invalid
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_icmp4">icmp4</h3>
<div class="paragraph"><p>What: support for Internet control message protocol v4</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:105</strong> (icmp4) ICMP header truncated
</p>
</li>
<li>
<p>
<strong>116:106</strong> (icmp4) ICMP timestamp header truncated
</p>
</li>
<li>
<p>
<strong>116:107</strong> (icmp4) ICMP address header truncated
</p>
</li>
<li>
<p>
<strong>116:250</strong> (icmp4) ICMP original IP header truncated
</p>
</li>
<li>
<p>
<strong>116:251</strong> (icmp4) ICMP version and original IP header versions differ
</p>
</li>
<li>
<p>
<strong>116:252</strong> (icmp4) ICMP original datagram length &lt; original IP header length
</p>
</li>
<li>
<p>
<strong>116:253</strong> (icmp4) ICMP original IP payload &lt; 64 bits
</p>
</li>
<li>
<p>
<strong>116:254</strong> (icmp4) ICMP original IP payload &gt; 576 bytes
</p>
</li>
<li>
<p>
<strong>116:255</strong> (icmp4) ICMP original IP fragmented and offset not 0
</p>
</li>
<li>
<p>
<strong>116:415</strong> (icmp4) ICMP4 packet to multicast dest address
</p>
</li>
<li>
<p>
<strong>116:416</strong> (icmp4) ICMP4 packet to broadcast dest address
</p>
</li>
<li>
<p>
<strong>116:418</strong> (icmp4) ICMP4 type other
</p>
</li>
<li>
<p>
<strong>116:434</strong> (icmp4) ICMP ping Nmap
</p>
</li>
<li>
<p>
<strong>116:435</strong> (icmp4) ICMP icmpenum v1.1.1
</p>
</li>
<li>
<p>
<strong>116:436</strong> (icmp4) ICMP redirect host
</p>
</li>
<li>
<p>
<strong>116:437</strong> (icmp4) ICMP redirect net
</p>
</li>
<li>
<p>
<strong>116:438</strong> (icmp4) ICMP traceroute ipopts
</p>
</li>
<li>
<p>
<strong>116:439</strong> (icmp4) ICMP source quench
</p>
</li>
<li>
<p>
<strong>116:440</strong> (icmp4) broadscan smurf scanner
</p>
</li>
<li>
<p>
<strong>116:441</strong> (icmp4) ICMP destination unreachable communication administratively prohibited
</p>
</li>
<li>
<p>
<strong>116:442</strong> (icmp4) ICMP destination unreachable communication with destination host is administratively prohibited
</p>
</li>
<li>
<p>
<strong>116:443</strong> (icmp4) ICMP destination unreachable communication with destination network is administratively prohibited
</p>
</li>
<li>
<p>
<strong>116:451</strong> (icmp4) ICMP path MTU denial of service attempt
</p>
</li>
<li>
<p>
<strong>116:452</strong> (icmp4) Linux ICMP header DOS attempt
</p>
</li>
<li>
<p>
<strong>116:426</strong> (icmp4) truncated ICMP4 header
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>icmp4.bad_checksum</strong>: non-zero icmp checksums (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_icmp6">icmp6</h3>
<div class="paragraph"><p>What: support for Internet control message protocol v6</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:427</strong> (icmp6) truncated ICMPv6 header
</p>
</li>
<li>
<p>
<strong>116:431</strong> (icmp6) ICMPv6 type not decoded
</p>
</li>
<li>
<p>
<strong>116:432</strong> (icmp6) ICMPv6 packet to multicast address
</p>
</li>
<li>
<p>
<strong>116:285</strong> (icmp6) ICMPv6 packet of type 2 (message too big) with MTU field &lt; 1280
</p>
</li>
<li>
<p>
<strong>116:286</strong> (icmp6) ICMPv6 packet of type 1 (destination unreachable) with non-RFC 2463 code
</p>
</li>
<li>
<p>
<strong>116:287</strong> (icmp6) ICMPv6 router solicitation packet with a code not equal to 0
</p>
</li>
<li>
<p>
<strong>116:288</strong> (icmp6) ICMPv6 router advertisement packet with a code not equal to 0
</p>
</li>
<li>
<p>
<strong>116:289</strong> (icmp6) ICMPv6 router solicitation packet with the reserved field not equal to 0
</p>
</li>
<li>
<p>
<strong>116:290</strong> (icmp6) ICMPv6 router advertisement packet with the reachable time field set &gt; 1 hour
</p>
</li>
<li>
<p>
<strong>116:457</strong> (icmp6) ICMPv6 packet of type 1 (destination unreachable) with non-RFC 4443 code
</p>
</li>
<li>
<p>
<strong>116:460</strong> (icmp6) ICMPv6 node info query/response packet with a code greater than 2
</p>
</li>
<li>
<p>
<strong>116:474</strong> (icmp6) ICMPv6 not encapsulated in IPv6
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>icmp6.bad_icmp6_checksum</strong>: nonzero icmp6 checksums (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_igmp">igmp</h3>
<div class="paragraph"><p>What: support for Internet group management protocol</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:455</strong> (igmp) DOS IGMP IP options validation attempt
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ipv4">ipv4</h3>
<div class="paragraph"><p>What: support for Internet protocol v4 (DLT 228)</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:1</strong> (ipv4) not IPv4 datagram
</p>
</li>
<li>
<p>
<strong>116:2</strong> (ipv4) IPv4 header length &lt; minimum
</p>
</li>
<li>
<p>
<strong>116:3</strong> (ipv4) IPv4 datagram length &lt; header field
</p>
</li>
<li>
<p>
<strong>116:4</strong> (ipv4) IPv4 options found with bad lengths
</p>
</li>
<li>
<p>
<strong>116:5</strong> (ipv4) truncated IPv4 options
</p>
</li>
<li>
<p>
<strong>116:6</strong> (ipv4) IPv4 datagram length &gt; captured length
</p>
</li>
<li>
<p>
<strong>116:404</strong> (ipv4) IPv4 packet with zero TTL
</p>
</li>
<li>
<p>
<strong>116:405</strong> (ipv4) IPv4 packet with bad frag bits (both MF and DF set)
</p>
</li>
<li>
<p>
<strong>116:407</strong> (ipv4) IPv4 packet frag offset + length exceed maximum
</p>
</li>
<li>
<p>
<strong>116:408</strong> (ipv4) IPv4 packet from <em>current net</em> source address
</p>
</li>
<li>
<p>
<strong>116:409</strong> (ipv4) IPv4 packet to <em>current net</em> dest address
</p>
</li>
<li>
<p>
<strong>116:410</strong> (ipv4) IPv4 packet from multicast source address
</p>
</li>
<li>
<p>
<strong>116:411</strong> (ipv4) IPv4 packet from reserved source address
</p>
</li>
<li>
<p>
<strong>116:412</strong> (ipv4) IPv4 packet to reserved dest address
</p>
</li>
<li>
<p>
<strong>116:413</strong> (ipv4) IPv4 packet from broadcast source address
</p>
</li>
<li>
<p>
<strong>116:414</strong> (ipv4) IPv4 packet to broadcast dest address
</p>
</li>
<li>
<p>
<strong>116:428</strong> (ipv4) IPv4 packet below TTL limit
</p>
</li>
<li>
<p>
<strong>116:430</strong> (ipv4) IPv4 packet both DF and offset set
</p>
</li>
<li>
<p>
<strong>116:448</strong> (ipv4) IPv4 reserved bit set
</p>
</li>
<li>
<p>
<strong>116:444</strong> (ipv4) IPv4 option set
</p>
</li>
<li>
<p>
<strong>116:425</strong> (ipv4) truncated IPv4 header
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>ipv4.bad_checksum</strong>: nonzero ip checksums (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ipv6">ipv6</h3>
<div class="paragraph"><p>What: support for Internet protocol v6 (DLT 229)</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:270</strong> (ipv6) IPv6 packet below TTL limit
</p>
</li>
<li>
<p>
<strong>116:271</strong> (ipv6) IPv6 header claims to not be IPv6
</p>
</li>
<li>
<p>
<strong>116:272</strong> (ipv6) IPv6 truncated extension header
</p>
</li>
<li>
<p>
<strong>116:273</strong> (ipv6) IPv6 truncated header
</p>
</li>
<li>
<p>
<strong>116:274</strong> (ipv6) IPv6 datagram length &lt; header field
</p>
</li>
<li>
<p>
<strong>116:275</strong> (ipv6) IPv6 datagram length &gt; captured length
</p>
</li>
<li>
<p>
<strong>116:276</strong> (ipv6) IPv6 packet with destination address ::0
</p>
</li>
<li>
<p>
<strong>116:277</strong> (ipv6) IPv6 packet with multicast source address
</p>
</li>
<li>
<p>
<strong>116:278</strong> (ipv6) IPv6 packet with reserved multicast destination address
</p>
</li>
<li>
<p>
<strong>116:279</strong> (ipv6) IPv6 header includes an undefined option type
</p>
</li>
<li>
<p>
<strong>116:280</strong> (ipv6) IPv6 address includes an unassigned multicast scope value
</p>
</li>
<li>
<p>
<strong>116:281</strong> (ipv6) IPv6 header includes an invalid value for the <em>next header</em> field
</p>
</li>
<li>
<p>
<strong>116:282</strong> (ipv6) IPv6 header includes a routing extension header followed by a hop-by-hop header
</p>
</li>
<li>
<p>
<strong>116:283</strong> (ipv6) IPv6 header includes two routing extension headers
</p>
</li>
<li>
<p>
<strong>116:292</strong> (ipv6) IPv6 header has destination options followed by a routing header
</p>
</li>
<li>
<p>
<strong>116:291</strong> (ipv6) IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux kernel attack
</p>
</li>
<li>
<p>
<strong>116:295</strong> (ipv6) IPv6 header includes an option which is too big for the containing header
</p>
</li>
<li>
<p>
<strong>116:296</strong> (ipv6) IPv6 packet includes out-of-order extension headers
</p>
</li>
<li>
<p>
<strong>116:429</strong> (ipv6) IPv6 packet has zero hop limit
</p>
</li>
<li>
<p>
<strong>116:453</strong> (ipv6) ISATAP-addressed IPv6 traffic spoofing attempt
</p>
</li>
<li>
<p>
<strong>116:458</strong> (ipv6) bogus fragmentation packet, possible BSD attack
</p>
</li>
<li>
<p>
<strong>116:461</strong> (ipv6) IPv6 routing type 0 extension header
</p>
</li>
<li>
<p>
<strong>116:456</strong> (ipv6) too many IPv6 extension headers
</p>
</li>
<li>
<p>
<strong>116:475</strong> (ipv6) IPv6 mobility header includes an invalid value for the <em>payload protocol</em> field
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_llc">llc</h3>
<div class="paragraph"><p>What: support for logical link control</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:131</strong> (llc) bad LLC header
</p>
</li>
<li>
<p>
<strong>116:132</strong> (llc) bad extra LLC info
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_mpls">mpls</h3>
<div class="paragraph"><p>What: support for multiprotocol label switching</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>mpls.enable_mpls_multicast</strong> = false: enables support for MPLS multicast
</p>
</li>
<li>
<p>
bool <strong>mpls.enable_mpls_overlapping_ip</strong> = false: enable if private network addresses overlap and must be differentiated by MPLS label(s)
</p>
</li>
<li>
<p>
int <strong>mpls.max_mpls_stack_depth</strong> = -1: set MPLS stack depth { -1:255 }
</p>
</li>
<li>
<p>
enum <strong>mpls.mpls_payload_type</strong> = ip4: set encapsulated payload type { eth | ip4 | ip6 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:170</strong> (mpls) bad MPLS frame
</p>
</li>
<li>
<p>
<strong>116:171</strong> (mpls) MPLS label 0 appears in non-bottom header
</p>
</li>
<li>
<p>
<strong>116:172</strong> (mpls) MPLS label 1 appears in bottom header
</p>
</li>
<li>
<p>
<strong>116:173</strong> (mpls) MPLS label 2 appears in non-bottom header
</p>
</li>
<li>
<p>
<strong>116:174</strong> (mpls) MPLS label 3 appears in header
</p>
</li>
<li>
<p>
<strong>116:175</strong> (mpls) MPLS label 4, 5,.. or 15 appears in header
</p>
</li>
<li>
<p>
<strong>116:176</strong> (mpls) too many MPLS headers
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>mpls.total_packets</strong>: total mpls labeled packets processed (sum)
</p>
</li>
<li>
<p>
<strong>mpls.total_bytes</strong>: total mpls labeled bytes processed (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_pbb">pbb</h3>
<div class="paragraph"><p>What: support for 802.1ah protocol</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:424</strong> (pbb) truncated ethernet header
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_pgm">pgm</h3>
<div class="paragraph"><p>What: support for pragmatic general multicast</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:454</strong> (pgm) PGM nak list overflow attempt
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_pppoe">pppoe</h3>
<div class="paragraph"><p>What: support for point-to-point protocol over ethernet</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:120</strong> (pppoe) bad PPPOE frame detected
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_tcp_2">tcp</h3>
<div class="paragraph"><p>What: support for transmission control protocol</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:45</strong> (tcp) TCP packet length is smaller than 20 bytes
</p>
</li>
<li>
<p>
<strong>116:46</strong> (tcp) TCP data offset is less than 5
</p>
</li>
<li>
<p>
<strong>116:47</strong> (tcp) TCP header length exceeds packet length
</p>
</li>
<li>
<p>
<strong>116:54</strong> (tcp) TCP options found with bad lengths
</p>
</li>
<li>
<p>
<strong>116:55</strong> (tcp) truncated TCP options
</p>
</li>
<li>
<p>
<strong>116:56</strong> (tcp) T/TCP detected
</p>
</li>
<li>
<p>
<strong>116:57</strong> (tcp) obsolete TCP options found
</p>
</li>
<li>
<p>
<strong>116:58</strong> (tcp) experimental TCP options found
</p>
</li>
<li>
<p>
<strong>116:59</strong> (tcp) TCP window scale option found with length &gt; 14
</p>
</li>
<li>
<p>
<strong>116:400</strong> (tcp) XMAS attack detected
</p>
</li>
<li>
<p>
<strong>116:401</strong> (tcp) Nmap XMAS attack detected
</p>
</li>
<li>
<p>
<strong>116:419</strong> (tcp) TCP urgent pointer exceeds payload length or no payload
</p>
</li>
<li>
<p>
<strong>116:420</strong> (tcp) TCP SYN with FIN
</p>
</li>
<li>
<p>
<strong>116:421</strong> (tcp) TCP SYN with RST
</p>
</li>
<li>
<p>
<strong>116:422</strong> (tcp) TCP PDU missing ack for established session
</p>
</li>
<li>
<p>
<strong>116:423</strong> (tcp) TCP has no SYN, ACK, or RST
</p>
</li>
<li>
<p>
<strong>116:433</strong> (tcp) DDOS shaft SYN flood
</p>
</li>
<li>
<p>
<strong>116:446</strong> (tcp) TCP port 0 traffic
</p>
</li>
<li>
<p>
<strong>116:402</strong> (tcp) DOS NAPTHA vulnerability detected
</p>
</li>
<li>
<p>
<strong>116:403</strong> (tcp) SYN to multicast address
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>tcp.bad_tcp4_checksum</strong>: nonzero tcp over ip checksums (sum)
</p>
</li>
<li>
<p>
<strong>tcp.bad_tcp6_checksum</strong>: nonzero tcp over ipv6 checksums (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_token_ring">token_ring</h3>
<div class="paragraph"><p>What: support for token ring decoding</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:140</strong> (token_ring) bad Token Ring header
</p>
</li>
<li>
<p>
<strong>116:141</strong> (token_ring) bad Token Ring ETHLLC header
</p>
</li>
<li>
<p>
<strong>116:142</strong> (token_ring) bad Token Ring MRLEN header
</p>
</li>
<li>
<p>
<strong>116:143</strong> (token_ring) bad Token Ring MR header
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_udp_2">udp</h3>
<div class="paragraph"><p>What: support for user datagram protocol</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>udp.deep_teredo_inspection</strong> = false: look for Teredo on all UDP ports (default is only 3544)
</p>
</li>
<li>
<p>
bool <strong>udp.enable_gtp</strong> = false: decode GTP encapsulations
</p>
</li>
<li>
<p>
bit_list <strong>udp.gtp_ports</strong> = 2152 3386: set GTP ports { 65535 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:95</strong> (udp) truncated UDP header
</p>
</li>
<li>
<p>
<strong>116:96</strong> (udp) invalid UDP header, length field &lt; 8
</p>
</li>
<li>
<p>
<strong>116:97</strong> (udp) short UDP packet, length field &gt; payload length
</p>
</li>
<li>
<p>
<strong>116:98</strong> (udp) long UDP packet, length field &lt; payload length
</p>
</li>
<li>
<p>
<strong>116:406</strong> (udp) invalid IPv6 UDP packet, checksum zero
</p>
</li>
<li>
<p>
<strong>116:445</strong> (udp) large UDP packet (&gt; 4000 bytes)
</p>
</li>
<li>
<p>
<strong>116:447</strong> (udp) UDP port 0 traffic
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>udp.bad_udp4_checksum</strong>: nonzero udp over ipv4 checksums (sum)
</p>
</li>
<li>
<p>
<strong>udp.bad_udp6_checksum</strong>: nonzero udp over ipv6 checksums (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_vlan">vlan</h3>
<div class="paragraph"><p>What: support for local area network</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:130</strong> (vlan) bad VLAN frame
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_wlan">wlan</h3>
<div class="paragraph"><p>What: support for wireless local area network protocol (DLT 105)</p></div>
<div class="paragraph"><p>Type: codec</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>116:133</strong> (wlan) bad 802.11 LLC header
</p>
</li>
<li>
<p>
<strong>116:134</strong> (wlan) bad 802.11 extra LLC info
</p>
</li>
</ul></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_connector_modules">Connector Modules</h2>
<div class="sectionbody">
<div class="paragraph"><p>Connectors support High Availability communication links.</p></div>
<div class="sect2">
<h3 id="_file_connector">file_connector</h3>
<div class="paragraph"><p>What: implement the file based connector</p></div>
<div class="paragraph"><p>Type: connector</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>file_connector.connector</strong>: connector name
</p>
</li>
<li>
<p>
string <strong>file_connector.name</strong>: channel name
</p>
</li>
<li>
<p>
enum <strong>file_connector.format</strong>: file format { binary | text }
</p>
</li>
<li>
<p>
enum <strong>file_connector.direction</strong>: usage { receive | transmit | duplex }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>file_connector.messages</strong>: total messages (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_tcp_connector">tcp_connector</h3>
<div class="paragraph"><p>What: implement the tcp stream connector</p></div>
<div class="paragraph"><p>Type: connector</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>tcp_connector.connector</strong>: connector name
</p>
</li>
<li>
<p>
string <strong>tcp_connector.address</strong>: address
</p>
</li>
<li>
<p>
port <strong>tcp_connector.base_port</strong>: base port number
</p>
</li>
<li>
<p>
enum <strong>tcp_connector.setup</strong>: stream establishment { call | answer }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>tcp_connector.messages</strong>: total messages (sum)
</p>
</li>
</ul></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_inspector_modules">Inspector Modules</h2>
<div class="sectionbody">
<div class="paragraph"><p>These modules perform a variety of functions, including analysis of
protocols beyond basic decoding.</p></div>
<div class="sect2">
<h3 id="_appid_2">appid</h3>
<div class="paragraph"><p>What: application and service identification</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>appid.memcap</strong> = 1048576: max size of the service cache before we start pruning the cache { 1024:maxSZ }
</p>
</li>
<li>
<p>
bool <strong>appid.log_stats</strong> = false: enable logging of appid statistics
</p>
</li>
<li>
<p>
int <strong>appid.app_stats_period</strong> = 300: time period for collecting and logging appid statistics { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>appid.app_stats_rollover_size</strong> = 20971520: max file size for appid stats before rolling over the log file { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>appid.app_stats_rollover_time</strong> = 86400: max time period for collection appid stats before rolling over the log file { 0:max31 }
</p>
</li>
<li>
<p>
string <strong>appid.app_detector_dir</strong>: directory to load appid detectors from
</p>
</li>
<li>
<p>
int <strong>appid.instance_id</strong> = 0: instance id - ignored { 0:max32 }
</p>
</li>
<li>
<p>
bool <strong>appid.debug</strong> = false: enable appid debug logging
</p>
</li>
<li>
<p>
bool <strong>appid.dump_ports</strong> = false: enable dump of appid port information
</p>
</li>
<li>
<p>
string <strong>appid.tp_appid_path</strong>: path to third party appid dynamic library
</p>
</li>
<li>
<p>
string <strong>appid.tp_appid_config</strong>: path to third party appid configuration file
</p>
</li>
<li>
<p>
bool <strong>appid.tp_appid_stats_enable</strong>: enable collection of stats and print stats on exit in third party module
</p>
</li>
<li>
<p>
bool <strong>appid.tp_appid_config_dump</strong>: print third party configuration on startup
</p>
</li>
<li>
<p>
bool <strong>appid.log_all_sessions</strong> = false: enable logging of all appid sessions
</p>
</li>
<li>
<p>
int <strong>appid.trace</strong>: mask for enabling debug traces in module { 0:max53 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Commands:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>appid.enable_debug</strong>(proto, src_ip, src_port, dst_ip, dst_port): enable appid debugging
</p>
</li>
<li>
<p>
<strong>appid.disable_debug</strong>(): disable appid debugging
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>appid.packets</strong>: count of packets received (sum)
</p>
</li>
<li>
<p>
<strong>appid.processed_packets</strong>: count of packets processed (sum)
</p>
</li>
<li>
<p>
<strong>appid.ignored_packets</strong>: count of packets ignored (sum)
</p>
</li>
<li>
<p>
<strong>appid.total_sessions</strong>: count of sessions created (sum)
</p>
</li>
<li>
<p>
<strong>appid.appid_unknown</strong>: count of sessions where appid could not be determined (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_arp_spoof">arp_spoof</h3>
<div class="paragraph"><p>What: detect ARP attacks and anomalies</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
ip4 <strong><code>arp_spoof.hosts[].ip</code></strong>: host ip address
</p>
</li>
<li>
<p>
mac <strong><code>arp_spoof.hosts[].mac</code></strong>: host mac address
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>112:1</strong> (arp_spoof) unicast ARP request
</p>
</li>
<li>
<p>
<strong>112:2</strong> (arp_spoof) ethernet/ARP mismatch request for source
</p>
</li>
<li>
<p>
<strong>112:3</strong> (arp_spoof) ethernet/ARP mismatch request for destination
</p>
</li>
<li>
<p>
<strong>112:4</strong> (arp_spoof) attempted ARP cache overwrite attack
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>arp_spoof.packets</strong>: total packets (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_back_orifice">back_orifice</h3>
<div class="paragraph"><p>What: back orifice detection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>105:1</strong> (back_orifice) BO traffic detected
</p>
</li>
<li>
<p>
<strong>105:2</strong> (back_orifice) BO client traffic detected
</p>
</li>
<li>
<p>
<strong>105:3</strong> (back_orifice) BO server traffic detected
</p>
</li>
<li>
<p>
<strong>105:4</strong> (back_orifice) BO Snort buffer attack
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>back_orifice.packets</strong>: total packets (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_binder_2">binder</h3>
<div class="paragraph"><p>What: configure processing based on CIDRs, ports, services, etc.</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong><code>binder[].when.ips_policy_id</code></strong> = 0: unique ID for selection of this config by external logic { 0:max32 }
</p>
</li>
<li>
<p>
bit_list <strong><code>binder[].when.ifaces</code></strong>: list of interface indices { 255 }
</p>
</li>
<li>
<p>
bit_list <strong><code>binder[].when.vlans</code></strong>: list of VLAN IDs { 4095 }
</p>
</li>
<li>
<p>
addr_list <strong><code>binder[].when.nets</code></strong>: list of networks
</p>
</li>
<li>
<p>
addr_list <strong><code>binder[].when.src_nets</code></strong>: list of source networks
</p>
</li>
<li>
<p>
addr_list <strong><code>binder[].when.dst_nets</code></strong>: list of destination networks
</p>
</li>
<li>
<p>
enum <strong><code>binder[].when.proto</code></strong>: protocol { any | ip | icmp | tcp | udp | user | file }
</p>
</li>
<li>
<p>
bit_list <strong><code>binder[].when.ports</code></strong>: list of ports { 65535 }
</p>
</li>
<li>
<p>
bit_list <strong><code>binder[].when.src_ports</code></strong>: list of source ports { 65535 }
</p>
</li>
<li>
<p>
bit_list <strong><code>binder[].when.dst_ports</code></strong>: list of destination ports { 65535 }
</p>
</li>
<li>
<p>
bit_list <strong><code>binder[].when.zones</code></strong>: zones { 63 }
</p>
</li>
<li>
<p>
bit_list <strong><code>binder[].when.src_zone</code></strong>: source zone { 63 }
</p>
</li>
<li>
<p>
bit_list <strong><code>binder[].when.dst_zone</code></strong>: destination zone { 63 }
</p>
</li>
<li>
<p>
enum <strong><code>binder[].when.role</code></strong> = any: use the given configuration on one or any end of a session { client | server | any }
</p>
</li>
<li>
<p>
string <strong><code>binder[].when.service</code></strong>: override default configuration
</p>
</li>
<li>
<p>
enum <strong><code>binder[].use.action</code></strong> = inspect: what to do with matching traffic { reset | block | allow | inspect }
</p>
</li>
<li>
<p>
string <strong><code>binder[].use.file</code></strong>: use configuration in given file
</p>
</li>
<li>
<p>
string <strong><code>binder[].use.inspection_policy</code></strong>: use inspection policy from given file
</p>
</li>
<li>
<p>
string <strong><code>binder[].use.ips_policy</code></strong>: use ips policy from given file
</p>
</li>
<li>
<p>
string <strong><code>binder[].use.network_policy</code></strong>: use network policy from given file
</p>
</li>
<li>
<p>
string <strong><code>binder[].use.service</code></strong>: override automatic service identification
</p>
</li>
<li>
<p>
string <strong><code>binder[].use.type</code></strong>: select module for binding
</p>
</li>
<li>
<p>
string <strong><code>binder[].use.name</code></strong>: symbol name (defaults to type)
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>binder.packets</strong>: initial bindings (sum)
</p>
</li>
<li>
<p>
<strong>binder.resets</strong>: reset bindings (sum)
</p>
</li>
<li>
<p>
<strong>binder.blocks</strong>: block bindings (sum)
</p>
</li>
<li>
<p>
<strong>binder.allows</strong>: allow bindings (sum)
</p>
</li>
<li>
<p>
<strong>binder.inspects</strong>: inspect bindings (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_data_log">data_log</h3>
<div class="paragraph"><p>What: log selected published data to data.log</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
select <strong>data_log.key</strong> = http_request_header_event : name of the event to log { http_request_header_event | http_response_header_event }
</p>
</li>
<li>
<p>
int <strong>data_log.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:max32 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>data_log.packets</strong>: total packets (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_dce_http_proxy">dce_http_proxy</h3>
<div class="paragraph"><p>What: dce over http inspection - client to/from proxy</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>dce_http_proxy.http_proxy_sessions</strong>: successful http proxy sessions (sum)
</p>
</li>
<li>
<p>
<strong>dce_http_proxy.http_proxy_session_failures</strong>: failed http proxy sessions (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_dce_http_server">dce_http_server</h3>
<div class="paragraph"><p>What: dce over http inspection - proxy to/from server</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>dce_http_server.http_server_sessions</strong>: successful http server sessions (sum)
</p>
</li>
<li>
<p>
<strong>dce_http_server.http_server_session_failures</strong>: failed http server sessions (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_dce_smb">dce_smb</h3>
<div class="paragraph"><p>What: dce over smb inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>dce_smb.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow
</p>
</li>
<li>
<p>
bool <strong>dce_smb.disable_defrag</strong> = false: disable DCE/RPC defragmentation
</p>
</li>
<li>
<p>
int <strong>dce_smb.max_frag_len</strong> = 65535: maximum fragment size for defragmentation { 1514:65535 }
</p>
</li>
<li>
<p>
int <strong>dce_smb.reassemble_threshold</strong> = 0: minimum bytes received before performing reassembly { 0:65535 }
</p>
</li>
<li>
<p>
enum <strong>dce_smb.smb_fingerprint_policy</strong> = none: target based SMB policy to use { none | client |  server | both  }
</p>
</li>
<li>
<p>
enum <strong>dce_smb.policy</strong> = WinXP: target based policy to use { Win2000 |  WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba | Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 }
</p>
</li>
<li>
<p>
int <strong>dce_smb.smb_max_chain</strong> = 3: SMB max chain size { 0:255 }
</p>
</li>
<li>
<p>
int <strong>dce_smb.smb_max_compound</strong> = 3: SMB max compound size { 0:255 }
</p>
</li>
<li>
<p>
multi <strong>dce_smb.valid_smb_versions</strong> = all: valid SMB versions { v1 | v2 | all }
</p>
</li>
<li>
<p>
enum <strong>dce_smb.smb_file_inspection</strong> = off: SMB file inspection { off | on | only }
</p>
</li>
<li>
<p>
int <strong>dce_smb.smb_file_depth</strong> = 16384: SMB file depth for file data { -1:32767 }
</p>
</li>
<li>
<p>
string <strong>dce_smb.smb_invalid_shares</strong>: SMB shares to alert on
</p>
</li>
<li>
<p>
bool <strong>dce_smb.smb_legacy_mode</strong> = false: inspect only SMBv1
</p>
</li>
<li>
<p>
int <strong>dce_smb.trace</strong>: mask for enabling debug traces in module { 0:max53 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>133:2</strong> (dce_smb) SMB - bad NetBIOS session service session type
</p>
</li>
<li>
<p>
<strong>133:3</strong> (dce_smb) SMB - bad SMB message type
</p>
</li>
<li>
<p>
<strong>133:4</strong> (dce_smb) SMB - bad SMB Id (not \xffSMB for SMB1 or not \xfeSMB for SMB2)
</p>
</li>
<li>
<p>
<strong>133:5</strong> (dce_smb) SMB - bad word count or structure size
</p>
</li>
<li>
<p>
<strong>133:6</strong> (dce_smb) SMB - bad byte count
</p>
</li>
<li>
<p>
<strong>133:7</strong> (dce_smb) SMB - bad format type
</p>
</li>
<li>
<p>
<strong>133:8</strong> (dce_smb) SMB - bad offset
</p>
</li>
<li>
<p>
<strong>133:9</strong> (dce_smb) SMB - zero total data count
</p>
</li>
<li>
<p>
<strong>133:10</strong> (dce_smb) SMB - NetBIOS data length less than SMB header length
</p>
</li>
<li>
<p>
<strong>133:11</strong> (dce_smb) SMB - remaining NetBIOS data length less than command length
</p>
</li>
<li>
<p>
<strong>133:12</strong> (dce_smb) SMB - remaining NetBIOS data length less than command byte count
</p>
</li>
<li>
<p>
<strong>133:13</strong> (dce_smb) SMB - remaining NetBIOS data length less than command data size
</p>
</li>
<li>
<p>
<strong>133:14</strong> (dce_smb) SMB - remaining total data count less than this command data size
</p>
</li>
<li>
<p>
<strong>133:15</strong> (dce_smb) SMB - total data sent (STDu64) greater than command total data expected
</p>
</li>
<li>
<p>
<strong>133:16</strong> (dce_smb) SMB - byte count less than command data size (STDu64)
</p>
</li>
<li>
<p>
<strong>133:17</strong> (dce_smb) SMB - invalid command data size for byte count
</p>
</li>
<li>
<p>
<strong>133:18</strong> (dce_smb) SMB - excessive tree connect requests with pending tree connect responses
</p>
</li>
<li>
<p>
<strong>133:19</strong> (dce_smb) SMB - excessive read requests with pending read responses
</p>
</li>
<li>
<p>
<strong>133:20</strong> (dce_smb) SMB - excessive command chaining
</p>
</li>
<li>
<p>
<strong>133:21</strong> (dce_smb) SMB - multiple chained tree connect requests
</p>
</li>
<li>
<p>
<strong>133:22</strong> (dce_smb) SMB - multiple chained tree connect requests
</p>
</li>
<li>
<p>
<strong>133:23</strong> (dce_smb) SMB - chained/compounded login followed by logoff
</p>
</li>
<li>
<p>
<strong>133:24</strong> (dce_smb) SMB - chained/compounded tree connect followed by tree disconnect
</p>
</li>
<li>
<p>
<strong>133:25</strong> (dce_smb) SMB - chained/compounded open pipe followed by close pipe
</p>
</li>
<li>
<p>
<strong>133:26</strong> (dce_smb) SMB - invalid share access
</p>
</li>
<li>
<p>
<strong>133:44</strong> (dce_smb) SMB - invalid SMB version 1 seen
</p>
</li>
<li>
<p>
<strong>133:45</strong> (dce_smb) SMB - invalid SMB version 2 seen
</p>
</li>
<li>
<p>
<strong>133:46</strong> (dce_smb) SMB - invalid user, tree connect, file binding
</p>
</li>
<li>
<p>
<strong>133:47</strong> (dce_smb) SMB - excessive command compounding
</p>
</li>
<li>
<p>
<strong>133:48</strong> (dce_smb) SMB - zero data count
</p>
</li>
<li>
<p>
<strong>133:50</strong> (dce_smb) SMB - maximum number of outstanding requests exceeded
</p>
</li>
<li>
<p>
<strong>133:51</strong> (dce_smb) SMB - outstanding requests with same MID
</p>
</li>
<li>
<p>
<strong>133:52</strong> (dce_smb) SMB - deprecated dialect negotiated
</p>
</li>
<li>
<p>
<strong>133:53</strong> (dce_smb) SMB - deprecated command used
</p>
</li>
<li>
<p>
<strong>133:54</strong> (dce_smb) SMB - unusual command used
</p>
</li>
<li>
<p>
<strong>133:55</strong> (dce_smb) SMB - invalid setup count for command
</p>
</li>
<li>
<p>
<strong>133:56</strong> (dce_smb) SMB - client attempted multiple dialect negotiations on session
</p>
</li>
<li>
<p>
<strong>133:57</strong> (dce_smb) SMB - client attempted to create or set a file&#8217;s attributes to readonly/hidden/system
</p>
</li>
<li>
<p>
<strong>133:58</strong> (dce_smb) SMB - file offset provided is greater than file size specified
</p>
</li>
<li>
<p>
<strong>133:59</strong> (dce_smb) SMB - next command specified in SMB2 header is beyond payload boundary
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>dce_smb.events</strong>: total events (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.pdus</strong>: total connection-oriented PDUs (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.binds</strong>: total connection-oriented binds (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.bind_acks</strong>: total connection-oriented binds acks (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.alter_contexts</strong>: total connection-oriented alter contexts (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.alter_context_responses</strong>: total connection-oriented alter context responses (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.bind_naks</strong>: total connection-oriented bind naks (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.requests</strong>: total connection-oriented requests (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.responses</strong>: total connection-oriented responses (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.cancels</strong>: total connection-oriented cancels (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.orphaned</strong>: total connection-oriented orphaned (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.faults</strong>: total connection-oriented faults (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.auth3s</strong>: total connection-oriented auth3s (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.shutdowns</strong>: total connection-oriented shutdowns (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.rejects</strong>: total connection-oriented rejects (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.ms_rpc_http_pdus</strong>: total connection-oriented MS requests to send RPC over HTTP (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.other_requests</strong>: total connection-oriented other requests (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.other_responses</strong>: total connection-oriented other responses (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.request_fragments</strong>: total connection-oriented request fragments (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.response_fragments</strong>: total connection-oriented response fragments (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.client_max_fragment_size</strong>: connection-oriented client maximum fragment size (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.client_min_fragment_size</strong>: connection-oriented client minimum fragment size (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.client_segs_reassembled</strong>: total connection-oriented client segments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.client_frags_reassembled</strong>: total connection-oriented client fragments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.server_max_fragment_size</strong>: connection-oriented server maximum fragment size (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.server_min_fragment_size</strong>: connection-oriented server minimum fragment size (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.server_segs_reassembled</strong>: total connection-oriented server segments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.server_frags_reassembled</strong>: total connection-oriented server fragments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.sessions</strong>: total smb sessions (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.packets</strong>: total smb packets (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.ignored_bytes</strong>: total ignored bytes (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.smb_client_segs_reassembled</strong>: total smb client segments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.smb_server_segs_reassembled</strong>: total smb server segments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.max_outstanding_requests</strong>: total smb maximum outstanding requests (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.files_processed</strong>: total smb files processed (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.smbv2_create</strong>: total number of SMBv2 create packets seen (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.smbv2_write</strong>: total number of SMBv2 write packets seen (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.smbv2_read</strong>: total number of SMBv2 read packets seen (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.smbv2_set_info</strong>: total number of SMBv2 set info packets seen (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.smbv2_tree_connect</strong>: total number of SMBv2 tree connect packets seen (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.smbv2_tree_disconnect</strong>: total number of SMBv2 tree disconnect packets seen (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.smbv2_close</strong>: total number of SMBv2 close packets seen (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.concurrent_sessions</strong>: total concurrent sessions (now)
</p>
</li>
<li>
<p>
<strong>dce_smb.max_concurrent_sessions</strong>: maximum concurrent sessions (max)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_dce_tcp">dce_tcp</h3>
<div class="paragraph"><p>What: dce over tcp inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>dce_tcp.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow
</p>
</li>
<li>
<p>
bool <strong>dce_tcp.disable_defrag</strong> = false: disable DCE/RPC defragmentation
</p>
</li>
<li>
<p>
int <strong>dce_tcp.max_frag_len</strong> = 65535: maximum fragment size for defragmentation { 1514:65535 }
</p>
</li>
<li>
<p>
int <strong>dce_tcp.reassemble_threshold</strong> = 0: minimum bytes received before performing reassembly { 0:65535 }
</p>
</li>
<li>
<p>
enum <strong>dce_tcp.policy</strong> = WinXP: target based policy to use { Win2000 |  WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba | Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>133:27</strong> (dce_tcp) connection oriented DCE/RPC - invalid major version
</p>
</li>
<li>
<p>
<strong>133:28</strong> (dce_tcp) connection oriented DCE/RPC - invalid minor version
</p>
</li>
<li>
<p>
<strong>133:29</strong> (dce_tcp) connection-oriented DCE/RPC - invalid PDU type
</p>
</li>
<li>
<p>
<strong>133:30</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length less than header size
</p>
</li>
<li>
<p>
<strong>133:31</strong> (dce_tcp) connection-oriented DCE/RPC - remaining fragment length less than size needed
</p>
</li>
<li>
<p>
<strong>133:32</strong> (dce_tcp) connection-oriented DCE/RPC - no context items specified
</p>
</li>
<li>
<p>
<strong>133:33</strong> (dce_tcp) connection-oriented DCE/RPC -no transfer syntaxes specified
</p>
</li>
<li>
<p>
<strong>133:34</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length on non-last fragment less than maximum negotiated fragment transmit size for client
</p>
</li>
<li>
<p>
<strong>133:35</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length greater than maximum negotiated fragment transmit size
</p>
</li>
<li>
<p>
<strong>133:36</strong> (dce_tcp) connection-oriented DCE/RPC - alter context byte order different from bind
</p>
</li>
<li>
<p>
<strong>133:37</strong> (dce_tcp) connection-oriented DCE/RPC - call id of non first/last fragment different from call id established for fragmented request
</p>
</li>
<li>
<p>
<strong>133:38</strong> (dce_tcp) connection-oriented DCE/RPC - opnum of non first/last fragment different from opnum established for fragmented request
</p>
</li>
<li>
<p>
<strong>133:39</strong> (dce_tcp) connection-oriented DCE/RPC - context id of non first/last fragment different from context id established for fragmented request
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>dce_tcp.events</strong>: total events (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.pdus</strong>: total connection-oriented PDUs (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.binds</strong>: total connection-oriented binds (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.bind_acks</strong>: total connection-oriented binds acks (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.alter_contexts</strong>: total connection-oriented alter contexts (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.alter_context_responses</strong>: total connection-oriented alter context responses (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.bind_naks</strong>: total connection-oriented bind naks (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.requests</strong>: total connection-oriented requests (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.responses</strong>: total connection-oriented responses (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.cancels</strong>: total connection-oriented cancels (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.orphaned</strong>: total connection-oriented orphaned (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.faults</strong>: total connection-oriented faults (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.auth3s</strong>: total connection-oriented auth3s (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.shutdowns</strong>: total connection-oriented shutdowns (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.rejects</strong>: total connection-oriented rejects (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.ms_rpc_http_pdus</strong>: total connection-oriented MS requests to send RPC over HTTP (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.other_requests</strong>: total connection-oriented other requests (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.other_responses</strong>: total connection-oriented other responses (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.request_fragments</strong>: total connection-oriented request fragments (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.response_fragments</strong>: total connection-oriented response fragments (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.client_max_fragment_size</strong>: connection-oriented client maximum fragment size (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.client_min_fragment_size</strong>: connection-oriented client minimum fragment size (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.client_segs_reassembled</strong>: total connection-oriented client segments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.client_frags_reassembled</strong>: total connection-oriented client fragments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.server_max_fragment_size</strong>: connection-oriented server maximum fragment size (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.server_min_fragment_size</strong>: connection-oriented server minimum fragment size (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.server_segs_reassembled</strong>: total connection-oriented server segments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.server_frags_reassembled</strong>: total connection-oriented server fragments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.tcp_sessions</strong>: total tcp sessions (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.tcp_packets</strong>: total tcp packets (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.concurrent_sessions</strong>: total concurrent sessions (now)
</p>
</li>
<li>
<p>
<strong>dce_tcp.max_concurrent_sessions</strong>: maximum concurrent sessions (max)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_dce_udp">dce_udp</h3>
<div class="paragraph"><p>What: dce over udp inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>dce_udp.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow
</p>
</li>
<li>
<p>
bool <strong>dce_udp.disable_defrag</strong> = false: disable DCE/RPC defragmentation
</p>
</li>
<li>
<p>
int <strong>dce_udp.max_frag_len</strong> = 65535: maximum fragment size for defragmentation { 1514:65535 }
</p>
</li>
<li>
<p>
int <strong>dce_udp.trace</strong>: mask for enabling debug traces in module { 0:max53 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>133:40</strong> (dce_udp) connection-less DCE/RPC - invalid major version
</p>
</li>
<li>
<p>
<strong>133:41</strong> (dce_udp) connection-less DCE/RPC - invalid PDU type
</p>
</li>
<li>
<p>
<strong>133:42</strong> (dce_udp) connection-less DCE/RPC - data length less than header size
</p>
</li>
<li>
<p>
<strong>133:43</strong> (dce_udp) connection-less DCE/RPC - bad sequence number
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>dce_udp.events</strong>: total events (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.udp_sessions</strong>: total udp sessions (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.udp_packets</strong>: total udp packets (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.requests</strong>: total connection-less requests (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.acks</strong>: total connection-less acks (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.cancels</strong>: total connection-less cancels (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.client_facks</strong>: total connection-less client facks (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.ping</strong>: total connection-less ping (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.responses</strong>: total connection-less responses (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.rejects</strong>: total connection-less rejects (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.cancel_acks</strong>: total connection-less cancel acks (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.server_facks</strong>: total connection-less server facks (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.faults</strong>: total connection-less faults (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.no_calls</strong>: total connection-less no calls (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.working</strong>: total connection-less working (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.other_requests</strong>: total connection-less other requests (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.other_responses</strong>: total connection-less other responses (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.fragments</strong>: total connection-less fragments (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.max_fragment_size</strong>: connection-less maximum fragment size (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.frags_reassembled</strong>: total connection-less fragments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.max_seqnum</strong>: max connection-less seqnum (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.concurrent_sessions</strong>: total concurrent sessions (now)
</p>
</li>
<li>
<p>
<strong>dce_udp.max_concurrent_sessions</strong>: maximum concurrent sessions (max)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_dnp3">dnp3</h3>
<div class="paragraph"><p>What: dnp3 inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>dnp3.check_crc</strong> = false: validate checksums in DNP3 link layer frames
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>145:1</strong> (dnp3) DNP3 link-layer frame contains bad CRC
</p>
</li>
<li>
<p>
<strong>145:2</strong> (dnp3) DNP3 link-layer frame was dropped
</p>
</li>
<li>
<p>
<strong>145:3</strong> (dnp3) DNP3 transport-layer segment was dropped during reassembly
</p>
</li>
<li>
<p>
<strong>145:4</strong> (dnp3) DNP3 reassembly buffer was cleared without reassembling a complete message
</p>
</li>
<li>
<p>
<strong>145:5</strong> (dnp3) DNP3 link-layer frame uses a reserved address
</p>
</li>
<li>
<p>
<strong>145:6</strong> (dnp3) DNP3 application-layer fragment uses a reserved function code
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>dnp3.total_packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>dnp3.udp_packets</strong>: total udp packets (sum)
</p>
</li>
<li>
<p>
<strong>dnp3.tcp_pdus</strong>: total tcp pdus (sum)
</p>
</li>
<li>
<p>
<strong>dnp3.dnp3_link_layer_frames</strong>: total dnp3 link layer frames (sum)
</p>
</li>
<li>
<p>
<strong>dnp3.dnp3_application_pdus</strong>: total dnp3 application pdus (sum)
</p>
</li>
<li>
<p>
<strong>dnp3.concurrent_sessions</strong>: total concurrent dnp3 sessions (now)
</p>
</li>
<li>
<p>
<strong>dnp3.max_concurrent_sessions</strong>: maximum concurrent dnp3 sessions (max)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_dns">dns</h3>
<div class="paragraph"><p>What: dns inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>131:1</strong> (dns) obsolete DNS RR types
</p>
</li>
<li>
<p>
<strong>131:2</strong> (dns) experimental DNS RR types
</p>
</li>
<li>
<p>
<strong>131:3</strong> (dns) DNS client rdata txt overflow
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>dns.packets</strong>: total packets processed (sum)
</p>
</li>
<li>
<p>
<strong>dns.requests</strong>: total dns requests (sum)
</p>
</li>
<li>
<p>
<strong>dns.responses</strong>: total dns responses (sum)
</p>
</li>
<li>
<p>
<strong>dns.concurrent_sessions</strong>: total concurrent dns sessions (now)
</p>
</li>
<li>
<p>
<strong>dns.max_concurrent_sessions</strong>: maximum concurrent dns sessions (max)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_domain_filter">domain_filter</h3>
<div class="paragraph"><p>What: alert on configured HTTP domains</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>domain_filter.file</strong>: file with list of domains identifying hosts to be filtered
</p>
</li>
<li>
<p>
string <strong>domain_filter.hosts</strong>: list of domains identifying hosts to be filtered
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>175:1</strong> (domain_filter) configured domain detected
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>domain_filter.checked</strong>: domains checked (sum)
</p>
</li>
<li>
<p>
<strong>domain_filter.filtered</strong>: domains filtered (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_dpx">dpx</h3>
<div class="paragraph"><p>What: dynamic inspector example</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
port <strong>dpx.port</strong>: port to check
</p>
</li>
<li>
<p>
int <strong>dpx.max</strong> = 0: maximum payload before alert { 0:65535 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>256:1</strong> (dpx) too much data sent to port
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>dpx.packets</strong>: total packets (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_file_id">file_id</h3>
<div class="paragraph"><p>What: configure file identification</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>file_id.type_depth</strong> = 1460: stop type ID at this point { 0:max53 }
</p>
</li>
<li>
<p>
int <strong>file_id.signature_depth</strong> = 10485760: stop signature at this point { 0:max53 }
</p>
</li>
<li>
<p>
int <strong>file_id.block_timeout</strong> = 86400: stop blocking after this many seconds { 0:max31 }
</p>
</li>
<li>
<p>
int <strong>file_id.lookup_timeout</strong> = 2: give up on lookup after this many seconds { 0:max31 }
</p>
</li>
<li>
<p>
bool <strong>file_id.block_timeout_lookup</strong> = false: block if lookup times out
</p>
</li>
<li>
<p>
int <strong>file_id.capture_memcap</strong> = 100: memcap for file capture in megabytes { 0:max53 }
</p>
</li>
<li>
<p>
int <strong>file_id.capture_max_size</strong> = 1048576: stop file capture beyond this point { 0:max53 }
</p>
</li>
<li>
<p>
int <strong>file_id.capture_min_size</strong> = 0: stop file capture if file size less than this { 0:max53 }
</p>
</li>
<li>
<p>
int <strong>file_id.capture_block_size</strong> = 32768: file capture block size in bytes { 8:max53 }
</p>
</li>
<li>
<p>
int <strong>file_id.max_files_cached</strong> = 65536: maximal number of files cached in memory { 8:max53 }
</p>
</li>
<li>
<p>
bool <strong>file_id.enable_type</strong> = true: enable type ID
</p>
</li>
<li>
<p>
bool <strong>file_id.enable_signature</strong> = true: enable signature calculation
</p>
</li>
<li>
<p>
bool <strong>file_id.enable_capture</strong> = false: enable file capture
</p>
</li>
<li>
<p>
int <strong>file_id.show_data_depth</strong> = 100: print this many octets { 0:max53 }
</p>
</li>
<li>
<p>
int <strong><code>file_id.file_rules[].rev</code></strong> = 0: rule revision { 0:max32 }
</p>
</li>
<li>
<p>
string <strong><code>file_id.file_rules[].msg</code></strong>: information about the file type
</p>
</li>
<li>
<p>
string <strong><code>file_id.file_rules[].type</code></strong>: file type name
</p>
</li>
<li>
<p>
int <strong><code>file_id.file_rules[].id</code></strong> = 0: file type id { 0:max32 }
</p>
</li>
<li>
<p>
string <strong><code>file_id.file_rules[].category</code></strong>: file type category
</p>
</li>
<li>
<p>
string <strong><code>file_id.file_rules[].group</code></strong>: comma separated list of groups associated with file type
</p>
</li>
<li>
<p>
string <strong><code>file_id.file_rules[].version</code></strong>: file type version
</p>
</li>
<li>
<p>
string <strong><code>file_id.file_rules[].magic[].content</code></strong>: file magic content
</p>
</li>
<li>
<p>
int <strong><code>file_id.file_rules[].magic[].offset</code></strong> = 0: file magic offset { 0:max32 }
</p>
</li>
<li>
<p>
int <strong><code>file_id.file_policy[].when.file_type_id</code></strong> = 0: unique ID for file type in file magic rule { 0:max32 }
</p>
</li>
<li>
<p>
string <strong><code>file_id.file_policy[].when.sha256</code></strong>: SHA 256
</p>
</li>
<li>
<p>
enum <strong><code>file_id.file_policy[].use.verdict</code></strong> = unknown: what to do with matching traffic { unknown | log | stop | block | reset  }
</p>
</li>
<li>
<p>
bool <strong><code>file_id.file_policy[].use.enable_file_type</code></strong> = false: true/false &#8594; enable/disable file type identification
</p>
</li>
<li>
<p>
bool <strong><code>file_id.file_policy[].use.enable_file_signature</code></strong> = false: true/false &#8594; enable/disable file signature
</p>
</li>
<li>
<p>
bool <strong><code>file_id.file_policy[].use.enable_file_capture</code></strong> = false: true/false &#8594; enable/disable file capture
</p>
</li>
<li>
<p>
bool <strong>file_id.trace_type</strong> = false: enable runtime dump of type info
</p>
</li>
<li>
<p>
bool <strong>file_id.trace_signature</strong> = false: enable runtime dump of signature info
</p>
</li>
<li>
<p>
bool <strong>file_id.trace_stream</strong> = false: enable runtime dump of file data
</p>
</li>
<li>
<p>
int <strong>file_id.verdict_delay</strong> = 0: number of queries to return final verdict { 0:max53 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>file_id.total_files</strong>: number of files processed (sum)
</p>
</li>
<li>
<p>
<strong>file_id.total_file_data</strong>: number of file data bytes processed (sum)
</p>
</li>
<li>
<p>
<strong>file_id.cache_failures</strong>: number of file cache add failures (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_file_log">file_log</h3>
<div class="paragraph"><p>What: log file event to file.log</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>file_log.log_pkt_time</strong> = true: log the packet time when event generated
</p>
</li>
<li>
<p>
bool <strong>file_log.log_sys_time</strong> = false: log the system time when event generated
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>file_log.total_events</strong>: total file events (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_finalize_packet">finalize_packet</h3>
<div class="paragraph"><p>What: handle the finalize packet event</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>finalize_packet.start_pdu</strong> = 0: Register to receive finalize packet event starting on this PDU { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>finalize_packet.end_pdu</strong> = 0: Deregister for finalize packet events on this PDU { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>finalize_packet.modify.pdu</strong> = 0: Modify verdict in finalize packet for this PDU { 0:max32 }
</p>
</li>
<li>
<p>
enum <strong>finalize_packet.modify.verdict</strong>: output format for stats { pass | block | replace | whitelist | blacklist | ignore | retry }
</p>
</li>
<li>
<p>
bool <strong>finalize_packet.switch_to_wizard</strong> = false: switch to wizard on first finalize event
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>finalize_packet.pdus</strong>: total PDUs seen (sum)
</p>
</li>
<li>
<p>
<strong>finalize_packet.events</strong>: total events seen (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ftp_client">ftp_client</h3>
<div class="paragraph"><p>What: FTP client configuration module for use with ftp_server</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>ftp_client.bounce</strong> = false: check for bounces
</p>
</li>
<li>
<p>
addr <strong><code>ftp_client.bounce_to[].address</code></strong> = 1.0.0.0/32: allowed IP address in CIDR format
</p>
</li>
<li>
<p>
port <strong><code>ftp_client.bounce_to[].port</code></strong> = 20: allowed port
</p>
</li>
<li>
<p>
port <strong><code>ftp_client.bounce_to[].last_port</code></strong>: optional allowed range from port to last_port inclusive
</p>
</li>
<li>
<p>
bool <strong>ftp_client.ignore_telnet_erase_cmds</strong> = false: ignore erase character and erase line commands when normalizing
</p>
</li>
<li>
<p>
int <strong>ftp_client.max_resp_len</strong> = 4294967295: maximum FTP response accepted by client { 0:max32 }
</p>
</li>
<li>
<p>
bool <strong>ftp_client.telnet_cmds</strong> = false: detect Telnet escape sequences on FTP control channel
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ftp_data_2">ftp_data</h3>
<div class="paragraph"><p>What: FTP data channel handler</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>ftp_data.packets</strong>: total packets (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ftp_server">ftp_server</h3>
<div class="paragraph"><p>What: main FTP module; ftp_client should also be configured</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>ftp_server.chk_str_fmt</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong>ftp_server.data_chan_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong>ftp_server.data_rest_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong>ftp_server.data_xfer_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong><code>ftp_server.directory_cmds[].dir_cmd</code></strong>: directory command
</p>
</li>
<li>
<p>
int <strong><code>ftp_server.directory_cmds[].rsp_code</code></strong> = 200: expected successful response code for command { 200:max32 }
</p>
</li>
<li>
<p>
string <strong>ftp_server.file_put_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong>ftp_server.file_get_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong>ftp_server.encr_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong>ftp_server.login_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
bool <strong>ftp_server.check_encrypted</strong> = false: check for end of encryption
</p>
</li>
<li>
<p>
string <strong><code>ftp_server.cmd_validity[].command</code></strong>: command string
</p>
</li>
<li>
<p>
string <strong><code>ftp_server.cmd_validity[].format</code></strong>: format specification
</p>
</li>
<li>
<p>
int <strong><code>ftp_server.cmd_validity[].length</code></strong> = 0: specify non-default maximum for command { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>ftp_server.def_max_param_len</strong> = 100: default maximum length of commands handled by server; 0 is unlimited { 1:max32 }
</p>
</li>
<li>
<p>
bool <strong>ftp_server.encrypted_traffic</strong> = false: check for encrypted Telnet and FTP
</p>
</li>
<li>
<p>
string <strong>ftp_server.ftp_cmds</strong>: specify additional commands supported by server beyond RFC 959
</p>
</li>
<li>
<p>
bool <strong>ftp_server.ignore_data_chan</strong> = false: do not inspect FTP data channels
</p>
</li>
<li>
<p>
bool <strong>ftp_server.ignore_telnet_erase_cmds</strong> = false: ignore erase character and erase line commands when normalizing
</p>
</li>
<li>
<p>
bool <strong>ftp_server.print_cmds</strong> = false: print command configurations on start up
</p>
</li>
<li>
<p>
bool <strong>ftp_server.telnet_cmds</strong> = false: detect Telnet escape sequences of FTP control channel
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>125:1</strong> (ftp_server) TELNET cmd on FTP command channel
</p>
</li>
<li>
<p>
<strong>125:2</strong> (ftp_server) invalid FTP command
</p>
</li>
<li>
<p>
<strong>125:3</strong> (ftp_server) FTP command parameters were too long
</p>
</li>
<li>
<p>
<strong>125:4</strong> (ftp_server) FTP command parameters were malformed
</p>
</li>
<li>
<p>
<strong>125:5</strong> (ftp_server) FTP command parameters contained potential string format
</p>
</li>
<li>
<p>
<strong>125:6</strong> (ftp_server) FTP response message was too long
</p>
</li>
<li>
<p>
<strong>125:7</strong> (ftp_server) FTP traffic encrypted
</p>
</li>
<li>
<p>
<strong>125:8</strong> (ftp_server) FTP bounce attempt
</p>
</li>
<li>
<p>
<strong>125:9</strong> (ftp_server) evasive (incomplete) TELNET cmd on FTP command channel
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>ftp_server.total_packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>ftp_server.concurrent_sessions</strong>: total concurrent FTP sessions (now)
</p>
</li>
<li>
<p>
<strong>ftp_server.max_concurrent_sessions</strong>: maximum concurrent FTP sessions (max)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_gtp_inspect">gtp_inspect</h3>
<div class="paragraph"><p>What: gtp control channel inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong><code>gtp_inspect[].version</code></strong> = 2: GTP version { 0:2 }
</p>
</li>
<li>
<p>
int <strong><code>gtp_inspect[].messages[].type</code></strong> = 0: message type code { 0:255 }
</p>
</li>
<li>
<p>
string <strong><code>gtp_inspect[].messages[].name</code></strong>: message name
</p>
</li>
<li>
<p>
int <strong><code>gtp_inspect[].infos[].type</code></strong> = 0: information element type code { 0:255 }
</p>
</li>
<li>
<p>
string <strong><code>gtp_inspect[].infos[].name</code></strong>: information element name
</p>
</li>
<li>
<p>
int <strong><code>gtp_inspect[].infos[].length</code></strong> = 0: information element type code { 0:255 }
</p>
</li>
<li>
<p>
int <strong>gtp_inspect.trace</strong>: mask for enabling debug traces in module { 0:max53 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>143:1</strong> (gtp_inspect) message length is invalid
</p>
</li>
<li>
<p>
<strong>143:2</strong> (gtp_inspect) information element length is invalid
</p>
</li>
<li>
<p>
<strong>143:3</strong> (gtp_inspect) information elements are out of order
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>gtp_inspect.sessions</strong>: total sessions processed (sum)
</p>
</li>
<li>
<p>
<strong>gtp_inspect.concurrent_sessions</strong>: total concurrent gtp sessions (now)
</p>
</li>
<li>
<p>
<strong>gtp_inspect.max_concurrent_sessions</strong>: maximum concurrent gtp sessions (max)
</p>
</li>
<li>
<p>
<strong>gtp_inspect.events</strong>: requests (sum)
</p>
</li>
<li>
<p>
<strong>gtp_inspect.unknown_types</strong>: unknown message types (sum)
</p>
</li>
<li>
<p>
<strong>gtp_inspect.unknown_infos</strong>: unknown information elements (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http2_inspect">http2_inspect</h3>
<div class="paragraph"><p>What: HTTP/2 inspector</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>121:1</strong> (http2_inspect) error in HPACK integer value
</p>
</li>
<li>
<p>
<strong>121:2</strong> (http2_inspect) integer value has leading zeros
</p>
</li>
<li>
<p>
<strong>121:3</strong> (http2_inspect) error in HPACK string value
</p>
</li>
<li>
<p>
<strong>121:4</strong> (http2_inspect) missing continuation frame
</p>
</li>
<li>
<p>
<strong>121:5</strong> (http2_inspect) unexpected continuation frame
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>http2_inspect.flows</strong>: HTTP connections inspected (sum)
</p>
</li>
<li>
<p>
<strong>http2_inspect.concurrent_sessions</strong>: total concurrent HTTP/2 sessions (now)
</p>
</li>
<li>
<p>
<strong>http2_inspect.max_concurrent_sessions</strong>: maximum concurrent HTTP/2 sessions (max)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http_inspect">http_inspect</h3>
<div class="paragraph"><p>What: HTTP inspector</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>http_inspect.request_depth</strong> = -1: maximum request message body bytes to examine (-1 no limit) { -1:max53 }
</p>
</li>
<li>
<p>
int <strong>http_inspect.response_depth</strong> = -1: maximum response message body bytes to examine (-1 no limit) { -1:max53 }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.unzip</strong> = true: decompress gzip and deflate message bodies
</p>
</li>
<li>
<p>
bool <strong>http_inspect.normalize_utf</strong> = true: normalize charset utf encodings in response bodies
</p>
</li>
<li>
<p>
bool <strong>http_inspect.decompress_pdf</strong> = false: decompress pdf files in response bodies
</p>
</li>
<li>
<p>
bool <strong>http_inspect.decompress_swf</strong> = false: decompress swf files in response bodies
</p>
</li>
<li>
<p>
bool <strong>http_inspect.decompress_zip</strong> = false: decompress zip files in response bodies
</p>
</li>
<li>
<p>
bool <strong>http_inspect.accelerated_blocking</strong> = false: inspect JavaScript in response messages as soon as possible
</p>
</li>
<li>
<p>
bool <strong>http_inspect.normalize_javascript</strong> = false: normalize JavaScript in response bodies
</p>
</li>
<li>
<p>
int <strong>http_inspect.max_javascript_whitespaces</strong> = 200: maximum consecutive whitespaces allowed within the JavaScript obfuscated data { 1:65535 }
</p>
</li>
<li>
<p>
bit_list <strong>http_inspect.bad_characters</strong>: alert when any of specified bytes are present in URI after percent decoding { 255 }
</p>
</li>
<li>
<p>
string <strong>http_inspect.ignore_unreserved</strong>: do not alert when the specified unreserved characters are percent-encoded in a URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore, tilde, and minus. { (optional) }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.percent_u</strong> = false: normalize %uNNNN and %UNNNN encodings
</p>
</li>
<li>
<p>
bool <strong>http_inspect.utf8</strong> = true: normalize 2-byte and 3-byte UTF-8 characters to a single byte
</p>
</li>
<li>
<p>
bool <strong>http_inspect.utf8_bare_byte</strong> = false: when doing UTF-8 character normalization include bytes that were not percent encoded
</p>
</li>
<li>
<p>
bool <strong>http_inspect.iis_unicode</strong> = false: use IIS unicode code point mapping to normalize characters
</p>
</li>
<li>
<p>
string <strong>http_inspect.iis_unicode_map_file</strong>: file containing code points for IIS unicode. { (optional) }
</p>
</li>
<li>
<p>
int <strong>http_inspect.iis_unicode_code_page</strong> = 1252: code page to use from the IIS unicode map file { 0:65535 }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.iis_double_decode</strong> = false: perform double decoding of percent encodings to normalize characters
</p>
</li>
<li>
<p>
int <strong>http_inspect.oversize_dir_length</strong> = 300: maximum length for URL directory { 1:65535 }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.backslash_to_slash</strong> = false: replace \ with / when normalizing URIs
</p>
</li>
<li>
<p>
bool <strong>http_inspect.plus_to_space</strong> = true: replace + with &lt;sp&gt; when normalizing URIs
</p>
</li>
<li>
<p>
bool <strong>http_inspect.simplify_path</strong> = true: reduce URI directory path to simplest form
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>119:1</strong> (http_inspect) ascii encoding
</p>
</li>
<li>
<p>
<strong>119:2</strong> (http_inspect) double decoding attack
</p>
</li>
<li>
<p>
<strong>119:3</strong> (http_inspect) u encoding
</p>
</li>
<li>
<p>
<strong>119:4</strong> (http_inspect) bare byte unicode encoding
</p>
</li>
<li>
<p>
<strong>119:5</strong> (http_inspect) obsolete event&#8212;deleted
</p>
</li>
<li>
<p>
<strong>119:6</strong> (http_inspect) UTF-8 encoding
</p>
</li>
<li>
<p>
<strong>119:7</strong> (http_inspect) unicode map code point encoding in URI
</p>
</li>
<li>
<p>
<strong>119:8</strong> (http_inspect) multi_slash encoding
</p>
</li>
<li>
<p>
<strong>119:9</strong> (http_inspect) backslash used in URI path
</p>
</li>
<li>
<p>
<strong>119:10</strong> (http_inspect) self directory traversal
</p>
</li>
<li>
<p>
<strong>119:11</strong> (http_inspect) directory traversal
</p>
</li>
<li>
<p>
<strong>119:12</strong> (http_inspect) apache whitespace (tab)
</p>
</li>
<li>
<p>
<strong>119:13</strong> (http_inspect) HTTP header line terminated by LF without a CR
</p>
</li>
<li>
<p>
<strong>119:14</strong> (http_inspect) non-RFC defined char
</p>
</li>
<li>
<p>
<strong>119:15</strong> (http_inspect) oversize request-uri directory
</p>
</li>
<li>
<p>
<strong>119:16</strong> (http_inspect) oversize chunk encoding
</p>
</li>
<li>
<p>
<strong>119:17</strong> (http_inspect) unauthorized proxy use detected
</p>
</li>
<li>
<p>
<strong>119:18</strong> (http_inspect) webroot directory traversal
</p>
</li>
<li>
<p>
<strong>119:19</strong> (http_inspect) long header
</p>
</li>
<li>
<p>
<strong>119:20</strong> (http_inspect) max header fields
</p>
</li>
<li>
<p>
<strong>119:21</strong> (http_inspect) multiple content length
</p>
</li>
<li>
<p>
<strong>119:22</strong> (http_inspect) obsolete event&#8212;deleted
</p>
</li>
<li>
<p>
<strong>119:23</strong> (http_inspect) invalid IP in true-client-IP/XFF header
</p>
</li>
<li>
<p>
<strong>119:24</strong> (http_inspect) multiple host hdrs detected
</p>
</li>
<li>
<p>
<strong>119:25</strong> (http_inspect) hostname exceeds 255 characters
</p>
</li>
<li>
<p>
<strong>119:26</strong> (http_inspect) too much whitespace in header (not implemented yet)
</p>
</li>
<li>
<p>
<strong>119:27</strong> (http_inspect) client consecutive small chunk sizes
</p>
</li>
<li>
<p>
<strong>119:28</strong> (http_inspect) POST or PUT w/o content-length or chunks
</p>
</li>
<li>
<p>
<strong>119:29</strong> (http_inspect) multiple true ips in a session
</p>
</li>
<li>
<p>
<strong>119:30</strong> (http_inspect) both true-client-IP and XFF hdrs present
</p>
</li>
<li>
<p>
<strong>119:31</strong> (http_inspect) unknown method
</p>
</li>
<li>
<p>
<strong>119:32</strong> (http_inspect) simple request
</p>
</li>
<li>
<p>
<strong>119:33</strong> (http_inspect) unescaped space in HTTP URI
</p>
</li>
<li>
<p>
<strong>119:34</strong> (http_inspect) too many pipelined requests
</p>
</li>
<li>
<p>
<strong>119:101</strong> (http_inspect) obsolete event&#8212;deleted
</p>
</li>
<li>
<p>
<strong>119:102</strong> (http_inspect) invalid status code in HTTP response
</p>
</li>
<li>
<p>
<strong>119:103</strong> (http_inspect) unused event number&#8212;should not appear
</p>
</li>
<li>
<p>
<strong>119:104</strong> (http_inspect) HTTP response has UTF charset that failed to normalize
</p>
</li>
<li>
<p>
<strong>119:105</strong> (http_inspect) HTTP response has UTF-7 charset
</p>
</li>
<li>
<p>
<strong>119:106</strong> (http_inspect) HTTP response gzip decompression failed
</p>
</li>
<li>
<p>
<strong>119:107</strong> (http_inspect) server consecutive small chunk sizes
</p>
</li>
<li>
<p>
<strong>119:108</strong> (http_inspect) unused event number&#8212;should not appear
</p>
</li>
<li>
<p>
<strong>119:109</strong> (http_inspect) javascript obfuscation levels exceeds 1
</p>
</li>
<li>
<p>
<strong>119:110</strong> (http_inspect) javascript whitespaces exceeds max allowed
</p>
</li>
<li>
<p>
<strong>119:111</strong> (http_inspect) multiple encodings within javascript obfuscated data
</p>
</li>
<li>
<p>
<strong>119:112</strong> (http_inspect) SWF file zlib decompression failure
</p>
</li>
<li>
<p>
<strong>119:113</strong> (http_inspect) SWF file LZMA decompression failure
</p>
</li>
<li>
<p>
<strong>119:114</strong> (http_inspect) PDF file deflate decompression failure
</p>
</li>
<li>
<p>
<strong>119:115</strong> (http_inspect) PDF file unsupported compression type
</p>
</li>
<li>
<p>
<strong>119:116</strong> (http_inspect) PDF file cascaded compression
</p>
</li>
<li>
<p>
<strong>119:117</strong> (http_inspect) PDF file parse failure
</p>
</li>
<li>
<p>
<strong>119:201</strong> (http_inspect) not HTTP traffic
</p>
</li>
<li>
<p>
<strong>119:202</strong> (http_inspect) chunk length has excessive leading zeros
</p>
</li>
<li>
<p>
<strong>119:203</strong> (http_inspect) white space before or between messages
</p>
</li>
<li>
<p>
<strong>119:204</strong> (http_inspect) request message without URI
</p>
</li>
<li>
<p>
<strong>119:205</strong> (http_inspect) control character in reason phrase
</p>
</li>
<li>
<p>
<strong>119:206</strong> (http_inspect) illegal extra whitespace in start line
</p>
</li>
<li>
<p>
<strong>119:207</strong> (http_inspect) corrupted HTTP version
</p>
</li>
<li>
<p>
<strong>119:208</strong> (http_inspect) unknown HTTP version
</p>
</li>
<li>
<p>
<strong>119:209</strong> (http_inspect) format error in HTTP header
</p>
</li>
<li>
<p>
<strong>119:210</strong> (http_inspect) chunk header options present
</p>
</li>
<li>
<p>
<strong>119:211</strong> (http_inspect) URI badly formatted
</p>
</li>
<li>
<p>
<strong>119:212</strong> (http_inspect) unrecognized type of percent encoding in URI
</p>
</li>
<li>
<p>
<strong>119:213</strong> (http_inspect) HTTP chunk misformatted
</p>
</li>
<li>
<p>
<strong>119:214</strong> (http_inspect) white space adjacent to chunk length
</p>
</li>
<li>
<p>
<strong>119:215</strong> (http_inspect) white space within header name
</p>
</li>
<li>
<p>
<strong>119:216</strong> (http_inspect) excessive gzip compression
</p>
</li>
<li>
<p>
<strong>119:217</strong> (http_inspect) gzip decompression failed
</p>
</li>
<li>
<p>
<strong>119:218</strong> (http_inspect) HTTP 0.9 requested followed by another request
</p>
</li>
<li>
<p>
<strong>119:219</strong> (http_inspect) HTTP 0.9 request following a normal request
</p>
</li>
<li>
<p>
<strong>119:220</strong> (http_inspect) message has both Content-Length and Transfer-Encoding
</p>
</li>
<li>
<p>
<strong>119:221</strong> (http_inspect) status code implying no body combined with Transfer-Encoding or nonzero Content-Length
</p>
</li>
<li>
<p>
<strong>119:222</strong> (http_inspect) Transfer-Encoding not ending with chunked
</p>
</li>
<li>
<p>
<strong>119:223</strong> (http_inspect) Transfer-Encoding with encodings before chunked
</p>
</li>
<li>
<p>
<strong>119:224</strong> (http_inspect) misformatted HTTP traffic
</p>
</li>
<li>
<p>
<strong>119:225</strong> (http_inspect) unsupported Content-Encoding used
</p>
</li>
<li>
<p>
<strong>119:226</strong> (http_inspect) unknown Content-Encoding used
</p>
</li>
<li>
<p>
<strong>119:227</strong> (http_inspect) multiple Content-Encodings applied
</p>
</li>
<li>
<p>
<strong>119:228</strong> (http_inspect) server response before client request
</p>
</li>
<li>
<p>
<strong>119:229</strong> (http_inspect) PDF/SWF/ZIP decompression of server response too big
</p>
</li>
<li>
<p>
<strong>119:230</strong> (http_inspect) nonprinting character in HTTP message header name
</p>
</li>
<li>
<p>
<strong>119:231</strong> (http_inspect) bad Content-Length value in HTTP header
</p>
</li>
<li>
<p>
<strong>119:232</strong> (http_inspect) HTTP header line wrapped
</p>
</li>
<li>
<p>
<strong>119:233</strong> (http_inspect) HTTP header line terminated by CR without a LF
</p>
</li>
<li>
<p>
<strong>119:234</strong> (http_inspect) chunk terminated by nonstandard separator
</p>
</li>
<li>
<p>
<strong>119:235</strong> (http_inspect) chunk length terminated by LF without CR
</p>
</li>
<li>
<p>
<strong>119:236</strong> (http_inspect) more than one response with 100 status code
</p>
</li>
<li>
<p>
<strong>119:237</strong> (http_inspect) 100 status code not in response to Expect header
</p>
</li>
<li>
<p>
<strong>119:238</strong> (http_inspect) 1XX status code other than 100 or 101
</p>
</li>
<li>
<p>
<strong>119:239</strong> (http_inspect) Expect header sent without a message body
</p>
</li>
<li>
<p>
<strong>119:240</strong> (http_inspect) HTTP 1.0 message with Transfer-Encoding header
</p>
</li>
<li>
<p>
<strong>119:241</strong> (http_inspect) Content-Transfer-Encoding used as HTTP header
</p>
</li>
<li>
<p>
<strong>119:242</strong> (http_inspect) illegal field in chunked message trailers
</p>
</li>
<li>
<p>
<strong>119:243</strong> (http_inspect) header field inappropriately appears twice or has two values
</p>
</li>
<li>
<p>
<strong>119:244</strong> (http_inspect) invalid value chunked in Content-Encoding header
</p>
</li>
<li>
<p>
<strong>119:245</strong> (http_inspect) 206 response sent to a request without a Range header
</p>
</li>
<li>
<p>
<strong>119:246</strong> (http_inspect) <em>HTTP</em> in version field not all upper case
</p>
</li>
<li>
<p>
<strong>119:247</strong> (http_inspect) white space embedded in critical header value
</p>
</li>
<li>
<p>
<strong>119:248</strong> (http_inspect) gzip compressed data followed by unexpected non-gzip data
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>http_inspect.flows</strong>: HTTP connections inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.scans</strong>: TCP segments scanned looking for HTTP messages (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.reassembles</strong>: TCP segments combined into HTTP messages (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.inspections</strong>: total message sections inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.requests</strong>: HTTP request messages inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.responses</strong>: HTTP response messages inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.get_requests</strong>: GET requests inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.head_requests</strong>: HEAD requests inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.post_requests</strong>: POST requests inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.put_requests</strong>: PUT requests inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.delete_requests</strong>: DELETE requests inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.connect_requests</strong>: CONNECT requests inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.options_requests</strong>: OPTIONS requests inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.trace_requests</strong>: TRACE requests inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.other_requests</strong>: other request methods inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.request_bodies</strong>: POST, PUT, and other requests with message bodies (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.chunked</strong>: chunked message bodies (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.uri_normalizations</strong>: URIs needing to be normalization (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.uri_path</strong>: URIs with path problems (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.uri_coding</strong>: URIs with character coding problems (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.concurrent_sessions</strong>: total concurrent http sessions (now)
</p>
</li>
<li>
<p>
<strong>http_inspect.max_concurrent_sessions</strong>: maximum concurrent http sessions (max)
</p>
</li>
<li>
<p>
<strong>http_inspect.detained_packets</strong>: TCP packets delayed by accelerated blocking (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.partial_inspections</strong>: pre-inspections for accelerated blocking (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_imap">imap</h3>
<div class="paragraph"><p>What: imap inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>imap.b64_decode_depth</strong> = 1460: base64 decoding depth (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>imap.bitenc_decode_depth</strong> = 1460: non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
bool <strong>imap.decompress_pdf</strong> = false: decompress pdf files in MIME attachments
</p>
</li>
<li>
<p>
bool <strong>imap.decompress_swf</strong> = false: decompress swf files in MIME attachments
</p>
</li>
<li>
<p>
bool <strong>imap.decompress_zip</strong> = false: decompress zip files in MIME attachments
</p>
</li>
<li>
<p>
int <strong>imap.qp_decode_depth</strong> = 1460: quoted Printable decoding depth (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>imap.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>141:1</strong> (imap) unknown IMAP3 command
</p>
</li>
<li>
<p>
<strong>141:2</strong> (imap) unknown IMAP3 response
</p>
</li>
<li>
<p>
<strong>141:4</strong> (imap) base64 decoding failed
</p>
</li>
<li>
<p>
<strong>141:5</strong> (imap) quoted-printable decoding failed
</p>
</li>
<li>
<p>
<strong>141:7</strong> (imap) Unix-to-Unix decoding failed
</p>
</li>
<li>
<p>
<strong>141:8</strong> (imap) file decompression failed
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>imap.packets</strong>: total packets processed (sum)
</p>
</li>
<li>
<p>
<strong>imap.sessions</strong>: total imap sessions (sum)
</p>
</li>
<li>
<p>
<strong>imap.concurrent_sessions</strong>: total concurrent imap sessions (now)
</p>
</li>
<li>
<p>
<strong>imap.max_concurrent_sessions</strong>: maximum concurrent imap sessions (max)
</p>
</li>
<li>
<p>
<strong>imap.b64_attachments</strong>: total base64 attachments decoded (sum)
</p>
</li>
<li>
<p>
<strong>imap.b64_decoded_bytes</strong>: total base64 decoded bytes (sum)
</p>
</li>
<li>
<p>
<strong>imap.qp_attachments</strong>: total quoted-printable attachments decoded (sum)
</p>
</li>
<li>
<p>
<strong>imap.qp_decoded_bytes</strong>: total quoted-printable decoded bytes (sum)
</p>
</li>
<li>
<p>
<strong>imap.uu_attachments</strong>: total uu attachments decoded (sum)
</p>
</li>
<li>
<p>
<strong>imap.uu_decoded_bytes</strong>: total uu decoded bytes (sum)
</p>
</li>
<li>
<p>
<strong>imap.non_encoded_attachments</strong>: total non-encoded attachments extracted (sum)
</p>
</li>
<li>
<p>
<strong>imap.non_encoded_bytes</strong>: total non-encoded extracted bytes (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_mem_test">mem_test</h3>
<div class="paragraph"><p>What: for testing memory management</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>mem_test.packets</strong>: total packets (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_modbus">modbus</h3>
<div class="paragraph"><p>What: modbus inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>144:1</strong> (modbus) length in Modbus MBAP header does not match the length needed for the given function
</p>
</li>
<li>
<p>
<strong>144:2</strong> (modbus) Modbus protocol ID is non-zero
</p>
</li>
<li>
<p>
<strong>144:3</strong> (modbus) reserved Modbus function code in use
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>modbus.sessions</strong>: total sessions processed (sum)
</p>
</li>
<li>
<p>
<strong>modbus.frames</strong>: total Modbus messages (sum)
</p>
</li>
<li>
<p>
<strong>modbus.concurrent_sessions</strong>: total concurrent modbus sessions (now)
</p>
</li>
<li>
<p>
<strong>modbus.max_concurrent_sessions</strong>: maximum concurrent modbus sessions (max)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_normalizer">normalizer</h3>
<div class="paragraph"><p>What: packet scrubbing for inline mode</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>normalizer.ip4.base</strong> = true: clear options
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip4.df</strong> = false: clear don&#8217;t frag flag
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip4.rf</strong> = false: clear reserved flag
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip4.tos</strong> = false: clear tos / differentiated services byte
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip4.trim</strong> = false: truncate excess payload beyond datagram length
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.base</strong> = true: clear reserved bits and option padding and fix urgent pointer / flags issues
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.block</strong> = true: allow packet drops during TCP normalization
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.urp</strong> = true: adjust urgent pointer if beyond segment length
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.ips</strong> = false: ensure consistency in retransmitted data
</p>
</li>
<li>
<p>
select <strong>normalizer.tcp.ecn</strong> = off: clear ecn for all packets | sessions w/o ecn setup { off | packet | stream }
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.pad</strong> = true: clear any option padding bytes
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.trim_syn</strong> = false: remove data on SYN
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.trim_rst</strong> = false: remove any data from RST packet
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.trim_win</strong> = false: trim data to window
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.trim_mss</strong> = false: trim data to MSS
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.trim</strong> = false: enable all of the TCP trim options
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.opts</strong> = true: clear all options except mss, wscale, timestamp, and any explicitly allowed
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.req_urg</strong> = true: clear the urgent pointer if the urgent flag is not set
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.req_pay</strong> = true: clear the urgent pointer and the urgent flag if there is no payload
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.rsv</strong> = true: clear the reserved bits in the TCP header
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.req_urp</strong> = true: clear the urgent flag if the urgent pointer is not set
</p>
</li>
<li>
<p>
multi <strong>normalizer.tcp.allow_names</strong>: don&#8217;t clear given option names { sack | echo | partial_order | conn_count | alt_checksum | md5 }
</p>
</li>
<li>
<p>
string <strong>normalizer.tcp.allow_codes</strong>: don&#8217;t clear given option codes
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip6</strong> = false: clear reserved flag
</p>
</li>
<li>
<p>
bool <strong>normalizer.icmp4</strong> = false: clear reserved flag
</p>
</li>
<li>
<p>
bool <strong>normalizer.icmp6</strong> = false: clear reserved flag
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>normalizer.test_ip4_trim</strong>: test eth packets trimmed to datagram size (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.ip4_trim</strong>: eth packets trimmed to datagram size (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_ip4_tos</strong>: test type of service normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.ip4_tos</strong>: type of service normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_ip4_df</strong>: test don&#8217;t frag bit normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.ip4_df</strong>: don&#8217;t frag bit normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_ip4_rf</strong>: test reserved flag bit clears (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.ip4_rf</strong>: reserved flag bit clears (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_ip4_ttl</strong>: test time-to-live normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.ip4_ttl</strong>: time-to-live normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_ip4_opts</strong>: test ip4 options cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.ip4_opts</strong>: ip4 options cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_icmp4_echo</strong>: test icmp4 ping normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.icmp4_echo</strong>: icmp4 ping normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_ip6_hops</strong>: test ip6 hop limit normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.ip6_hops</strong>: ip6 hop limit normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_ip6_options</strong>: test ip6 options cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.ip6_options</strong>: ip6 options cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_icmp6_echo</strong>: test icmp6 echo normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.icmp6_echo</strong>: icmp6 echo normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_syn_options</strong>: test SYN only options cleared from non-SYN packets (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_syn_options</strong>: SYN only options cleared from non-SYN packets (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_options</strong>: test packets with options cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_options</strong>: packets with options cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_padding</strong>: test packets with padding cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_padding</strong>: packets with padding cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_reserved</strong>: test packets with reserved bits cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_reserved</strong>: packets with reserved bits cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_nonce</strong>: test packets with nonce bit cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_nonce</strong>: packets with nonce bit cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_urgent_ptr</strong>: test packets without data with urgent pointer cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_urgent_ptr</strong>: packets without data with urgent pointer cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_ecn_pkt</strong>: test packets with ECN bits cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_ecn_pkt</strong>: packets with ECN bits cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_ts_ecr</strong>: test timestamp cleared on non-ACKs (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_ts_ecr</strong>: timestamp cleared on non-ACKs (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_req_urg</strong>: test cleared urgent pointer when urgent flag is not set (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_req_urg</strong>: cleared urgent pointer when urgent flag is not set (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_req_pay</strong>: test cleared urgent pointer and urgent flag when there is no payload (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_req_pay</strong>: cleared urgent pointer and urgent flag when there is no payload (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_req_urp</strong>: test cleared the urgent flag if the urgent pointer is not set (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_req_urp</strong>: cleared the urgent flag if the urgent pointer is not set (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_trim_syn</strong>: test tcp segments trimmed on SYN (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_trim_syn</strong>: tcp segments trimmed on SYN (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_trim_rst</strong>: test RST packets with data trimmed (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_trim_rst</strong>: RST packets with data trimmed (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_trim_win</strong>: test data trimmed to window (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_trim_win</strong>: data trimmed to window (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_trim_mss</strong>: test data trimmed to MSS (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_trim_mss</strong>: data trimmed to MSS (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_ecn_session</strong>: test ECN bits cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_ecn_session</strong>: ECN bits cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_ts_nop</strong>: test timestamp options cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_ts_nop</strong>: timestamp options cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_ips_data</strong>: test normalized segments (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_ips_data</strong>: normalized segments (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_block</strong>: test blocked segments (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_block</strong>: blocked segments (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_packet_capture">packet_capture</h3>
<div class="paragraph"><p>What: raw packet dumping facility</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>packet_capture.enable</strong> = false: initially enable packet dumping
</p>
</li>
<li>
<p>
string <strong>packet_capture.filter</strong>: bpf filter to use for packet dump
</p>
</li>
</ul></div>
<div class="paragraph"><p>Commands:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>packet_capture.enable</strong>(filter): dump raw packets
</p>
</li>
<li>
<p>
<strong>packet_capture.disable</strong>(): stop packet dump
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>packet_capture.processed</strong>: packets processed against filter (sum)
</p>
</li>
<li>
<p>
<strong>packet_capture.captured</strong>: packets matching dumped after matching filter (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_perf_monitor">perf_monitor</h3>
<div class="paragraph"><p>What: performance monitoring and flow statistics collection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>perf_monitor.base</strong> = true: enable base statistics
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.cpu</strong> = false: enable cpu statistics
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.flow</strong> = false: enable traffic statistics
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.flow_ip</strong> = false: enable statistics on host pairs
</p>
</li>
<li>
<p>
int <strong>perf_monitor.packets</strong> = 10000: minimum packets to report { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>perf_monitor.seconds</strong> = 60: report interval { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory in bytes for flow tracking { 8200:maxSZ }
</p>
</li>
<li>
<p>
int <strong>perf_monitor.max_file_size</strong> = 1073741824: files will be rolled over if they exceed this size { 4096:max53 }
</p>
</li>
<li>
<p>
int <strong>perf_monitor.flow_ports</strong> = 1023: maximum ports to track { 0:65535 }
</p>
</li>
<li>
<p>
enum <strong>perf_monitor.output</strong> = file: output location for stats { file | console }
</p>
</li>
<li>
<p>
string <strong><code>perf_monitor.modules[].name</code></strong>: name of the module
</p>
</li>
<li>
<p>
string <strong><code>perf_monitor.modules[].pegs</code></strong>: list of statistics to track or empty for all counters
</p>
</li>
<li>
<p>
enum <strong>perf_monitor.format</strong> = csv: output format for stats { csv | text | json | flatbuffers }
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.summary</strong> = false: output summary at shutdown
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>perf_monitor.packets</strong>: total packets (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_pop">pop</h3>
<div class="paragraph"><p>What: pop inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>pop.b64_decode_depth</strong> = 1460: base64 decoding depth (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>pop.bitenc_decode_depth</strong> = 1460: Non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
bool <strong>pop.decompress_pdf</strong> = false: decompress pdf files in MIME attachments
</p>
</li>
<li>
<p>
bool <strong>pop.decompress_swf</strong> = false: decompress swf files in MIME attachments
</p>
</li>
<li>
<p>
bool <strong>pop.decompress_zip</strong> = false: decompress zip files in MIME attachments
</p>
</li>
<li>
<p>
int <strong>pop.qp_decode_depth</strong> = 1460: Quoted Printable decoding depth (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>pop.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>142:1</strong> (pop) unknown POP3 command
</p>
</li>
<li>
<p>
<strong>142:2</strong> (pop) unknown POP3 response
</p>
</li>
<li>
<p>
<strong>142:4</strong> (pop) base64 decoding failed
</p>
</li>
<li>
<p>
<strong>142:5</strong> (pop) quoted-printable decoding failed
</p>
</li>
<li>
<p>
<strong>142:7</strong> (pop) Unix-to-Unix decoding failed
</p>
</li>
<li>
<p>
<strong>142:8</strong> (pop) file decompression failed
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>pop.packets</strong>: total packets processed (sum)
</p>
</li>
<li>
<p>
<strong>pop.sessions</strong>: total pop sessions (sum)
</p>
</li>
<li>
<p>
<strong>pop.concurrent_sessions</strong>: total concurrent pop sessions (now)
</p>
</li>
<li>
<p>
<strong>pop.max_concurrent_sessions</strong>: maximum concurrent pop sessions (max)
</p>
</li>
<li>
<p>
<strong>pop.b64_attachments</strong>: total base64 attachments decoded (sum)
</p>
</li>
<li>
<p>
<strong>pop.b64_decoded_bytes</strong>: total base64 decoded bytes (sum)
</p>
</li>
<li>
<p>
<strong>pop.qp_attachments</strong>: total quoted-printable attachments decoded (sum)
</p>
</li>
<li>
<p>
<strong>pop.qp_decoded_bytes</strong>: total quoted-printable decoded bytes (sum)
</p>
</li>
<li>
<p>
<strong>pop.uu_attachments</strong>: total uu attachments decoded (sum)
</p>
</li>
<li>
<p>
<strong>pop.uu_decoded_bytes</strong>: total uu decoded bytes (sum)
</p>
</li>
<li>
<p>
<strong>pop.non_encoded_attachments</strong>: total non-encoded attachments extracted (sum)
</p>
</li>
<li>
<p>
<strong>pop.non_encoded_bytes</strong>: total non-encoded extracted bytes (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_port_scan_2">port_scan</h3>
<div class="paragraph"><p>What: detect various ip, icmp, tcp, and udp port or protocol scans</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>port_scan.memcap</strong> = 1048576: maximum tracker memory in bytes { 1024:maxSZ }
</p>
</li>
<li>
<p>
multi <strong>port_scan.protos</strong> = all: choose the protocols to monitor { tcp | udp | icmp | ip | all }
</p>
</li>
<li>
<p>
multi <strong>port_scan.scan_types</strong> = all: choose type of scans to look for { portscan | portsweep | decoy_portscan | distributed_portscan | all }
</p>
</li>
<li>
<p>
string <strong>port_scan.watch_ip</strong>: list of CIDRs with optional ports to watch
</p>
</li>
<li>
<p>
string <strong>port_scan.ignore_scanners</strong>: list of CIDRs with optional ports to ignore if the source of scan alerts
</p>
</li>
<li>
<p>
string <strong>port_scan.ignore_scanned</strong>: list of CIDRs with optional ports to ignore if the destination of scan alerts
</p>
</li>
<li>
<p>
bool <strong>port_scan.alert_all</strong> = false: alert on all events over threshold within window if true; else alert on first only
</p>
</li>
<li>
<p>
bool <strong>port_scan.include_midstream</strong> = false: list of CIDRs with optional ports
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_ports.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_ports.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_ports.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_ports.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_decoy.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_decoy.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_decoy.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_decoy.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_sweep.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_sweep.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_sweep.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_sweep.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_dist.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_dist.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_dist.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_dist.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_ports.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_ports.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_ports.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_ports.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_decoy.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_decoy.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_decoy.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_decoy.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_sweep.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_sweep.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_sweep.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_sweep.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_dist.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_dist.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_dist.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_dist.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_proto.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_proto.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_proto.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_proto.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_decoy.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_decoy.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_decoy.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_decoy.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_sweep.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_sweep.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_sweep.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_sweep.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_dist.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_dist.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_dist.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_dist.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.icmp_sweep.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.icmp_sweep.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.icmp_sweep.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.icmp_sweep.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_window</strong> = 0: detection interval for all TCP scans { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_window</strong> = 0: detection interval for all UDP scans { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_window</strong> = 0: detection interval for all IP scans { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>port_scan.icmp_window</strong> = 0: detection interval for all ICMP scans { 0:max32 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>122:1</strong> (port_scan) TCP portscan
</p>
</li>
<li>
<p>
<strong>122:2</strong> (port_scan) TCP decoy portscan
</p>
</li>
<li>
<p>
<strong>122:3</strong> (port_scan) TCP portsweep
</p>
</li>
<li>
<p>
<strong>122:4</strong> (port_scan) TCP distributed portscan
</p>
</li>
<li>
<p>
<strong>122:5</strong> (port_scan) TCP filtered portscan
</p>
</li>
<li>
<p>
<strong>122:6</strong> (port_scan) TCP filtered decoy portscan
</p>
</li>
<li>
<p>
<strong>122:7</strong> (port_scan) TCP filtered portsweep
</p>
</li>
<li>
<p>
<strong>122:8</strong> (port_scan) TCP filtered distributed portscan
</p>
</li>
<li>
<p>
<strong>122:9</strong> (port_scan) IP protocol scan
</p>
</li>
<li>
<p>
<strong>122:10</strong> (port_scan) IP decoy protocol scan
</p>
</li>
<li>
<p>
<strong>122:11</strong> (port_scan) IP protocol sweep
</p>
</li>
<li>
<p>
<strong>122:12</strong> (port_scan) IP distributed protocol scan
</p>
</li>
<li>
<p>
<strong>122:13</strong> (port_scan) IP filtered protocol scan
</p>
</li>
<li>
<p>
<strong>122:14</strong> (port_scan) IP filtered decoy protocol scan
</p>
</li>
<li>
<p>
<strong>122:15</strong> (port_scan) IP filtered protocol sweep
</p>
</li>
<li>
<p>
<strong>122:16</strong> (port_scan) IP filtered distributed protocol scan
</p>
</li>
<li>
<p>
<strong>122:17</strong> (port_scan) UDP portscan
</p>
</li>
<li>
<p>
<strong>122:18</strong> (port_scan) UDP decoy portscan
</p>
</li>
<li>
<p>
<strong>122:19</strong> (port_scan) UDP portsweep
</p>
</li>
<li>
<p>
<strong>122:20</strong> (port_scan) UDP distributed portscan
</p>
</li>
<li>
<p>
<strong>122:21</strong> (port_scan) UDP filtered portscan
</p>
</li>
<li>
<p>
<strong>122:22</strong> (port_scan) UDP filtered decoy portscan
</p>
</li>
<li>
<p>
<strong>122:23</strong> (port_scan) UDP filtered portsweep
</p>
</li>
<li>
<p>
<strong>122:24</strong> (port_scan) UDP filtered distributed portscan
</p>
</li>
<li>
<p>
<strong>122:25</strong> (port_scan) ICMP sweep
</p>
</li>
<li>
<p>
<strong>122:26</strong> (port_scan) ICMP filtered sweep
</p>
</li>
<li>
<p>
<strong>122:27</strong> (port_scan) open port
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>port_scan.packets</strong>: total packets (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_reputation">reputation</h3>
<div class="paragraph"><p>What: reputation inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>reputation.blacklist</strong>: blacklist file name with IP lists
</p>
</li>
<li>
<p>
string <strong>reputation.list_dir</strong>: directory for IP lists and manifest file
</p>
</li>
<li>
<p>
int <strong>reputation.memcap</strong> = 500: maximum total MB of memory allocated { 1:4095 }
</p>
</li>
<li>
<p>
enum <strong>reputation.nested_ip</strong> = inner: IP to use when there is IP encapsulation { inner|outer|all }
</p>
</li>
<li>
<p>
enum <strong>reputation.priority</strong> = whitelist: defines priority when there is a decision conflict during run-time { blacklist|whitelist }
</p>
</li>
<li>
<p>
bool <strong>reputation.scan_local</strong> = false: inspect local address defined in RFC 1918
</p>
</li>
<li>
<p>
enum <strong>reputation.white</strong> = unblack: specify the meaning of whitelist { unblack|trust }
</p>
</li>
<li>
<p>
string <strong>reputation.whitelist</strong>: whitelist file name with IP lists
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>136:1</strong> (reputation) packets blacklisted
</p>
</li>
<li>
<p>
<strong>136:2</strong> (reputation) packets whitelisted
</p>
</li>
<li>
<p>
<strong>136:3</strong> (reputation) packets monitored
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>reputation.packets</strong>: total packets processed (sum)
</p>
</li>
<li>
<p>
<strong>reputation.blacklisted</strong>: number of packets blacklisted (sum)
</p>
</li>
<li>
<p>
<strong>reputation.whitelisted</strong>: number of packets whitelisted (sum)
</p>
</li>
<li>
<p>
<strong>reputation.monitored</strong>: number of packets monitored (sum)
</p>
</li>
<li>
<p>
<strong>reputation.memory_allocated</strong>: total memory allocated (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_rna">rna</h3>
<div class="paragraph"><p>What: Real-time network awareness and OS fingerprinting (experimental)</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>rna.rna_conf_path</strong>: path to RNA configuration
</p>
</li>
<li>
<p>
string <strong>rna.rna_util_lib_path</strong>: path to library for utilities such as fingerprint decoder
</p>
</li>
<li>
<p>
string <strong>rna.fingerprint_dir</strong>: directory to fingerprint patterns
</p>
</li>
<li>
<p>
string <strong>rna.custom_fingerprint_dir</strong>: directory to custom fingerprint patterns
</p>
</li>
<li>
<p>
bool <strong>rna.enable_logger</strong> = true: enable or disable writing discovery events into logger
</p>
</li>
<li>
<p>
bool <strong>rna.log_when_idle</strong> = false: enable host update logging when snort is idle
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>rna.icmp_bidirectional</strong>: count of bidirectional ICMP flows received (sum)
</p>
</li>
<li>
<p>
<strong>rna.icmp_new</strong>: count of new ICMP flows received (sum)
</p>
</li>
<li>
<p>
<strong>rna.ip_bidirectional</strong>: count of bidirectional IP received (sum)
</p>
</li>
<li>
<p>
<strong>rna.ip_new</strong>: count of new IP flows received (sum)
</p>
</li>
<li>
<p>
<strong>rna.udp_bidirectional</strong>: count of bidirectional UDP flows received (sum)
</p>
</li>
<li>
<p>
<strong>rna.udp_new</strong>: count of new UDP flows received (sum)
</p>
</li>
<li>
<p>
<strong>rna.tcp_syn</strong>: count of TCP SYN packets received (sum)
</p>
</li>
<li>
<p>
<strong>rna.tcp_syn_ack</strong>: count of TCP SYN-ACK packets received (sum)
</p>
</li>
<li>
<p>
<strong>rna.tcp_midstream</strong>: count of TCP midstream packets received (sum)
</p>
</li>
<li>
<p>
<strong>rna.other_packets</strong>: count of packets received without session tracking (sum)
</p>
</li>
<li>
<p>
<strong>rna.change_host_update</strong>: count number of change host update events (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_rpc_decode">rpc_decode</h3>
<div class="paragraph"><p>What: RPC inspector</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>106:1</strong> (rpc_decode) fragmented RPC records
</p>
</li>
<li>
<p>
<strong>106:2</strong> (rpc_decode) multiple RPC records
</p>
</li>
<li>
<p>
<strong>106:3</strong> (rpc_decode) large RPC record fragment
</p>
</li>
<li>
<p>
<strong>106:4</strong> (rpc_decode) incomplete RPC segment
</p>
</li>
<li>
<p>
<strong>106:5</strong> (rpc_decode) zero-length RPC fragment
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>rpc_decode.total_packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>rpc_decode.concurrent_sessions</strong>: total concurrent rpc sessions (now)
</p>
</li>
<li>
<p>
<strong>rpc_decode.max_concurrent_sessions</strong>: maximum concurrent rpc sessions (max)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_rt_global">rt_global</h3>
<div class="paragraph"><p>What: The regression test global inspector is used for regression tests specific to a global inspector</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>rt_global.memcap</strong> = 2048: cap on amount of memory used
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>rt_global.packets</strong>: total packets (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_rt_packet">rt_packet</h3>
<div class="paragraph"><p>What: The regression test packet inspector is used when special packet handling is required for a reg test</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>rt_packet.retry_targeted</strong> = false: request retry for packets whose data starts with <em>A</em>
</p>
</li>
<li>
<p>
bool <strong>rt_packet.retry_all</strong> = false: request retry for all non-retry packets
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>rt_packet.packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>rt_packet.retry_requests</strong>: total retry packets requested (sum)
</p>
</li>
<li>
<p>
<strong>rt_packet.retry_packets</strong>: total retried packets received (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_rt_service">rt_service</h3>
<div class="paragraph"><p>What: The regression test service inspector is used by regression tests that require custom service inspector support.</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>rt_service.packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>rt_service.flush_requests</strong>: total splitter flush requests (sum)
</p>
</li>
<li>
<p>
<strong>rt_service.hold_requests</strong>: total splitter hold requests (sum)
</p>
</li>
<li>
<p>
<strong>rt_service.search_requests</strong>: total splitter search requests (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_sip">sip</h3>
<div class="paragraph"><p>What: sip inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>sip.ignore_call_channel</strong> = false: enables the support for ignoring audio/video data channel
</p>
</li>
<li>
<p>
int <strong>sip.max_call_id_len</strong> = 256: maximum call id field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_contact_len</strong> = 256: maximum contact field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_content_len</strong> = 1024: maximum content length of the message body { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_dialogs</strong> = 4: maximum number of dialogs within one stream session { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>sip.max_from_len</strong> = 256: maximum from field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_requestName_len</strong> = 20: maximum request name field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_to_len</strong> = 256: maximum to field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_uri_len</strong> = 256: maximum request uri field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_via_len</strong> = 1024: maximum via field size { 0:65535 }
</p>
</li>
<li>
<p>
string <strong>sip.methods</strong> = invite cancel ack  bye register options: list of methods to check in SIP messages
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>140:2</strong> (sip) empty request URI
</p>
</li>
<li>
<p>
<strong>140:3</strong> (sip) URI is too long
</p>
</li>
<li>
<p>
<strong>140:4</strong> (sip) empty call-Id
</p>
</li>
<li>
<p>
<strong>140:5</strong> (sip) Call-Id is too long
</p>
</li>
<li>
<p>
<strong>140:6</strong> (sip) CSeq number is too large or negative
</p>
</li>
<li>
<p>
<strong>140:7</strong> (sip) request name in CSeq is too long
</p>
</li>
<li>
<p>
<strong>140:8</strong> (sip) empty From header
</p>
</li>
<li>
<p>
<strong>140:9</strong> (sip) From header is too long
</p>
</li>
<li>
<p>
<strong>140:10</strong> (sip) empty To header
</p>
</li>
<li>
<p>
<strong>140:11</strong> (sip) To header is too long
</p>
</li>
<li>
<p>
<strong>140:12</strong> (sip) empty Via header
</p>
</li>
<li>
<p>
<strong>140:13</strong> (sip) Via header is too long
</p>
</li>
<li>
<p>
<strong>140:14</strong> (sip) empty Contact
</p>
</li>
<li>
<p>
<strong>140:15</strong> (sip) contact is too long
</p>
</li>
<li>
<p>
<strong>140:16</strong> (sip) content length is too large or negative
</p>
</li>
<li>
<p>
<strong>140:17</strong> (sip) multiple SIP messages in a packet
</p>
</li>
<li>
<p>
<strong>140:18</strong> (sip) content length mismatch
</p>
</li>
<li>
<p>
<strong>140:19</strong> (sip) request name is invalid
</p>
</li>
<li>
<p>
<strong>140:20</strong> (sip) Invite replay attack
</p>
</li>
<li>
<p>
<strong>140:21</strong> (sip) illegal session information modification
</p>
</li>
<li>
<p>
<strong>140:22</strong> (sip) response status code is not a 3 digit number
</p>
</li>
<li>
<p>
<strong>140:23</strong> (sip) empty Content-type header
</p>
</li>
<li>
<p>
<strong>140:24</strong> (sip) SIP version is invalid
</p>
</li>
<li>
<p>
<strong>140:25</strong> (sip) mismatch in METHOD of request and the CSEQ header
</p>
</li>
<li>
<p>
<strong>140:26</strong> (sip) method is unknown
</p>
</li>
<li>
<p>
<strong>140:27</strong> (sip) maximum dialogs within a session reached
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>sip.packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>sip.sessions</strong>: total sessions (sum)
</p>
</li>
<li>
<p>
<strong>sip.concurrent_sessions</strong>: total concurrent SIP sessions (now)
</p>
</li>
<li>
<p>
<strong>sip.max_concurrent_sessions</strong>: maximum concurrent SIP sessions (max)
</p>
</li>
<li>
<p>
<strong>sip.events</strong>: events generated (sum)
</p>
</li>
<li>
<p>
<strong>sip.dialogs</strong>: total dialogs (sum)
</p>
</li>
<li>
<p>
<strong>sip.ignored_channels</strong>: total channels ignored (sum)
</p>
</li>
<li>
<p>
<strong>sip.ignored_sessions</strong>: total sessions ignored (sum)
</p>
</li>
<li>
<p>
<strong>sip.total_requests</strong>: total requests (sum)
</p>
</li>
<li>
<p>
<strong>sip.invite</strong>: invite (sum)
</p>
</li>
<li>
<p>
<strong>sip.cancel</strong>: cancel (sum)
</p>
</li>
<li>
<p>
<strong>sip.ack</strong>: ack (sum)
</p>
</li>
<li>
<p>
<strong>sip.bye</strong>: bye (sum)
</p>
</li>
<li>
<p>
<strong>sip.register</strong>: register (sum)
</p>
</li>
<li>
<p>
<strong>sip.options</strong>: options (sum)
</p>
</li>
<li>
<p>
<strong>sip.refer</strong>: refer (sum)
</p>
</li>
<li>
<p>
<strong>sip.subscribe</strong>: subscribe (sum)
</p>
</li>
<li>
<p>
<strong>sip.update</strong>: update (sum)
</p>
</li>
<li>
<p>
<strong>sip.join</strong>: join (sum)
</p>
</li>
<li>
<p>
<strong>sip.info</strong>: info (sum)
</p>
</li>
<li>
<p>
<strong>sip.message</strong>: message (sum)
</p>
</li>
<li>
<p>
<strong>sip.notify</strong>: notify (sum)
</p>
</li>
<li>
<p>
<strong>sip.prack</strong>: prack (sum)
</p>
</li>
<li>
<p>
<strong>sip.total_responses</strong>: total responses (sum)
</p>
</li>
<li>
<p>
<strong>sip.code_1xx</strong>: 1xx (sum)
</p>
</li>
<li>
<p>
<strong>sip.code_2xx</strong>: 2xx (sum)
</p>
</li>
<li>
<p>
<strong>sip.code_3xx</strong>: 3xx (sum)
</p>
</li>
<li>
<p>
<strong>sip.code_4xx</strong>: 4xx (sum)
</p>
</li>
<li>
<p>
<strong>sip.code_5xx</strong>: 5xx (sum)
</p>
</li>
<li>
<p>
<strong>sip.code_6xx</strong>: 6xx (sum)
</p>
</li>
<li>
<p>
<strong>sip.code_7xx</strong>: 7xx (sum)
</p>
</li>
<li>
<p>
<strong>sip.code_8xx</strong>: 8xx (sum)
</p>
</li>
<li>
<p>
<strong>sip.code_9xx</strong>: 9xx (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_smtp_2">smtp</h3>
<div class="paragraph"><p>What: smtp inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong><code>smtp.alt_max_command_line_len[].command</code></strong>: command string
</p>
</li>
<li>
<p>
int <strong><code>smtp.alt_max_command_line_len[].length</code></strong> = 0: specify non-default maximum for command { 0:max32 }
</p>
</li>
<li>
<p>
string <strong>smtp.auth_cmds</strong>: commands that initiate an authentication exchange
</p>
</li>
<li>
<p>
int <strong>smtp.b64_decode_depth</strong> = 1460: depth used to decode the base64 encoded MIME attachments (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
string <strong>smtp.binary_data_cmds</strong>: commands that initiate sending of data and use a length value after the command
</p>
</li>
<li>
<p>
int <strong>smtp.bitenc_decode_depth</strong> = 1460: depth used to extract the non-encoded MIME attachments (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
string <strong>smtp.data_cmds</strong>: commands that initiate sending of data with an end of data delimiter
</p>
</li>
<li>
<p>
bool <strong>smtp.decompress_pdf</strong> = false: decompress pdf files in MIME attachments
</p>
</li>
<li>
<p>
bool <strong>smtp.decompress_swf</strong> = false: decompress swf files in MIME attachments
</p>
</li>
<li>
<p>
bool <strong>smtp.decompress_zip</strong> = false: decompress zip files in MIME attachments
</p>
</li>
<li>
<p>
int <strong>smtp.email_hdrs_log_depth</strong> = 1464: depth for logging email headers { 0:20480 }
</p>
</li>
<li>
<p>
bool <strong>smtp.ignore_data</strong> = false: ignore data section of mail
</p>
</li>
<li>
<p>
bool <strong>smtp.ignore_tls_data</strong> = false: ignore TLS-encrypted data when processing rules
</p>
</li>
<li>
<p>
string <strong>smtp.invalid_cmds</strong>: alert if this command is sent from client side
</p>
</li>
<li>
<p>
bool <strong>smtp.log_email_hdrs</strong> = false: log the SMTP email headers extracted from SMTP data
</p>
</li>
<li>
<p>
bool <strong>smtp.log_filename</strong> = false: log the MIME attachment filenames extracted from the Content-Disposition header within the MIME body
</p>
</li>
<li>
<p>
bool <strong>smtp.log_mailfrom</strong> = false: log the sender&#8217;s email address extracted from the MAIL FROM command
</p>
</li>
<li>
<p>
bool <strong>smtp.log_rcptto</strong> = false: log the recipient&#8217;s email address extracted from the RCPT TO command
</p>
</li>
<li>
<p>
int <strong>smtp.max_auth_command_line_len</strong> = 1000: max auth command Line Length { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>smtp.max_command_line_len</strong> = 0: max Command Line Length { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>smtp.max_header_line_len</strong> = 0: max SMTP DATA header line { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>smtp.max_response_line_len</strong> = 0: max SMTP response line { 0:65535 }
</p>
</li>
<li>
<p>
enum <strong>smtp.normalize</strong> = none: turns on/off normalization { none | cmds | all }
</p>
</li>
<li>
<p>
string <strong>smtp.normalize_cmds</strong>: list of commands to normalize
</p>
</li>
<li>
<p>
int <strong>smtp.qp_decode_depth</strong> = 1460: quoted-Printable decoding depth (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>smtp.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
string <strong>smtp.valid_cmds</strong>: list of valid commands
</p>
</li>
<li>
<p>
enum <strong>smtp.xlink2state</strong> = alert: enable/disable xlink2state alert { disable | alert | drop }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>124:1</strong> (smtp) attempted command buffer overflow
</p>
</li>
<li>
<p>
<strong>124:2</strong> (smtp) attempted data header buffer overflow
</p>
</li>
<li>
<p>
<strong>124:3</strong> (smtp) attempted response buffer overflow
</p>
</li>
<li>
<p>
<strong>124:4</strong> (smtp) attempted specific command buffer overflow
</p>
</li>
<li>
<p>
<strong>124:5</strong> (smtp) unknown command
</p>
</li>
<li>
<p>
<strong>124:6</strong> (smtp) illegal command
</p>
</li>
<li>
<p>
<strong>124:7</strong> (smtp) attempted header name buffer overflow
</p>
</li>
<li>
<p>
<strong>124:8</strong> (smtp) attempted X-Link2State command buffer overflow
</p>
</li>
<li>
<p>
<strong>124:10</strong> (smtp) base64 decoding failed
</p>
</li>
<li>
<p>
<strong>124:11</strong> (smtp) quoted-printable decoding failed
</p>
</li>
<li>
<p>
<strong>124:13</strong> (smtp) Unix-to-Unix decoding failed
</p>
</li>
<li>
<p>
<strong>124:14</strong> (smtp) Cyrus SASL authentication attack
</p>
</li>
<li>
<p>
<strong>124:15</strong> (smtp) attempted authentication command buffer overflow
</p>
</li>
<li>
<p>
<strong>124:16</strong> (smtp) file decompression failed
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>smtp.packets</strong>: total packets processed (sum)
</p>
</li>
<li>
<p>
<strong>smtp.sessions</strong>: total smtp sessions (sum)
</p>
</li>
<li>
<p>
<strong>smtp.concurrent_sessions</strong>: total concurrent smtp sessions (now)
</p>
</li>
<li>
<p>
<strong>smtp.max_concurrent_sessions</strong>: maximum concurrent smtp sessions (max)
</p>
</li>
<li>
<p>
<strong>smtp.b64_attachments</strong>: total base64 attachments decoded (sum)
</p>
</li>
<li>
<p>
<strong>smtp.b64_decoded_bytes</strong>: total base64 decoded bytes (sum)
</p>
</li>
<li>
<p>
<strong>smtp.qp_attachments</strong>: total quoted-printable attachments decoded (sum)
</p>
</li>
<li>
<p>
<strong>smtp.qp_decoded_bytes</strong>: total quoted-printable decoded bytes (sum)
</p>
</li>
<li>
<p>
<strong>smtp.uu_attachments</strong>: total uu attachments decoded (sum)
</p>
</li>
<li>
<p>
<strong>smtp.uu_decoded_bytes</strong>: total uu decoded bytes (sum)
</p>
</li>
<li>
<p>
<strong>smtp.non_encoded_attachments</strong>: total non-encoded attachments extracted (sum)
</p>
</li>
<li>
<p>
<strong>smtp.non_encoded_bytes</strong>: total non-encoded extracted bytes (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ssh">ssh</h3>
<div class="paragraph"><p>What: ssh inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>ssh.max_encrypted_packets</strong> = 25: ignore session after this many encrypted packets { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>ssh.max_client_bytes</strong> = 19600: number of unanswered bytes before alerting on challenge-response overflow or CRC32 { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>ssh.max_server_version_len</strong> = 80: limit before alerting on secure CRT server version string overflow { 0:255 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>128:1</strong> (ssh) challenge-response overflow exploit
</p>
</li>
<li>
<p>
<strong>128:2</strong> (ssh) SSH1 CRC32 exploit
</p>
</li>
<li>
<p>
<strong>128:3</strong> (ssh) server version string overflow
</p>
</li>
<li>
<p>
<strong>128:5</strong> (ssh) bad message direction
</p>
</li>
<li>
<p>
<strong>128:6</strong> (ssh) payload size incorrect for the given payload
</p>
</li>
<li>
<p>
<strong>128:7</strong> (ssh) failed to detect SSH version string
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>ssh.packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>ssh.concurrent_sessions</strong>: total concurrent ssh sessions (now)
</p>
</li>
<li>
<p>
<strong>ssh.max_concurrent_sessions</strong>: maximum concurrent ssh sessions (max)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ssl">ssl</h3>
<div class="paragraph"><p>What: ssl inspection</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>ssl.trust_servers</strong> = false: disables requirement that application (encrypted) data must be observed on both sides
</p>
</li>
<li>
<p>
int <strong>ssl.max_heartbeat_length</strong> = 0: maximum length of heartbeat record allowed { 0:65535 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>137:1</strong> (ssl) invalid client HELLO after server HELLO detected
</p>
</li>
<li>
<p>
<strong>137:2</strong> (ssl) invalid server HELLO without client HELLO detected
</p>
</li>
<li>
<p>
<strong>137:3</strong> (ssl) heartbeat read overrun attempt detected
</p>
</li>
<li>
<p>
<strong>137:4</strong> (ssl) large heartbeat response detected
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>ssl.packets</strong>: total packets processed (sum)
</p>
</li>
<li>
<p>
<strong>ssl.decoded</strong>: ssl packets decoded (sum)
</p>
</li>
<li>
<p>
<strong>ssl.client_hello</strong>: total client hellos (sum)
</p>
</li>
<li>
<p>
<strong>ssl.server_hello</strong>: total server hellos (sum)
</p>
</li>
<li>
<p>
<strong>ssl.certificate</strong>: total ssl certificates (sum)
</p>
</li>
<li>
<p>
<strong>ssl.server_done</strong>: total server done (sum)
</p>
</li>
<li>
<p>
<strong>ssl.client_key_exchange</strong>: total client key exchanges (sum)
</p>
</li>
<li>
<p>
<strong>ssl.server_key_exchange</strong>: total server key exchanges (sum)
</p>
</li>
<li>
<p>
<strong>ssl.change_cipher</strong>: total change cipher records (sum)
</p>
</li>
<li>
<p>
<strong>ssl.finished</strong>: total handshakes finished (sum)
</p>
</li>
<li>
<p>
<strong>ssl.client_application</strong>: total client application records (sum)
</p>
</li>
<li>
<p>
<strong>ssl.server_application</strong>: total server application records (sum)
</p>
</li>
<li>
<p>
<strong>ssl.alert</strong>: total ssl alert records (sum)
</p>
</li>
<li>
<p>
<strong>ssl.unrecognized_records</strong>: total unrecognized records (sum)
</p>
</li>
<li>
<p>
<strong>ssl.handshakes_completed</strong>: total completed ssl handshakes (sum)
</p>
</li>
<li>
<p>
<strong>ssl.bad_handshakes</strong>: total bad handshakes (sum)
</p>
</li>
<li>
<p>
<strong>ssl.sessions_ignored</strong>: total sessions ignore (sum)
</p>
</li>
<li>
<p>
<strong>ssl.detection_disabled</strong>: total detection disabled (sum)
</p>
</li>
<li>
<p>
<strong>ssl.concurrent_sessions</strong>: total concurrent ssl sessions (now)
</p>
</li>
<li>
<p>
<strong>ssl.max_concurrent_sessions</strong>: maximum concurrent ssl sessions (max)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_stream">stream</h3>
<div class="paragraph"><p>What: common flow tracking</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: global</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>stream.footprint</strong> = 0: use zero for production, non-zero for testing at given size (for TCP and user) { 0:max32 }
</p>
</li>
<li>
<p>
bool <strong>stream.ip_frags_only</strong> = false: don&#8217;t process non-frag flows
</p>
</li>
<li>
<p>
int <strong>stream.max_flows</strong> = 476288: maximum simultaneous flows tracked before pruning { 2:max32 }
</p>
</li>
<li>
<p>
int <strong>stream.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>stream.ip_cache.cap_weight</strong> = 64: additional bytes to track per flow for better estimation against cap { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>stream.icmp_cache.cap_weight</strong> = 8: additional bytes to track per flow for better estimation against cap { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>stream.tcp_cache.idle_timeout</strong> = 3600: maximum inactive time before retiring session tracker { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>stream.tcp_cache.cap_weight</strong> = 11500: additional bytes to track per flow for better estimation against cap { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>stream.udp_cache.cap_weight</strong> = 128: additional bytes to track per flow for better estimation against cap { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>stream.user_cache.cap_weight</strong> = 256: additional bytes to track per flow for better estimation against cap { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>stream.file_cache.cap_weight</strong> = 32: additional bytes to track per flow for better estimation against cap { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>stream.trace</strong>: mask for enabling debug traces in module { 0:max53 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>135:1</strong> (stream) TCP SYN received
</p>
</li>
<li>
<p>
<strong>135:2</strong> (stream) TCP session established
</p>
</li>
<li>
<p>
<strong>135:3</strong> (stream) TCP session cleared
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>stream.flows</strong>: total sessions (sum)
</p>
</li>
<li>
<p>
<strong>stream.total_prunes</strong>: total sessions pruned (sum)
</p>
</li>
<li>
<p>
<strong>stream.idle_prunes</strong>:  sessions pruned due to timeout (sum)
</p>
</li>
<li>
<p>
<strong>stream.excess_prunes</strong>: sessions pruned due to excess (sum)
</p>
</li>
<li>
<p>
<strong>stream.uni_prunes</strong>: uni sessions pruned (sum)
</p>
</li>
<li>
<p>
<strong>stream.preemptive_prunes</strong>: sessions pruned during preemptive pruning (sum)
</p>
</li>
<li>
<p>
<strong>stream.memcap_prunes</strong>: sessions pruned due to memcap (sum)
</p>
</li>
<li>
<p>
<strong>stream.ha_prunes</strong>: sessions pruned by high availability sync (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_stream_file">stream_file</h3>
<div class="paragraph"><p>What: stream inspector for file flow tracking and processing</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>stream_file.upload</strong> = false: indicate file transfer direction
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_stream_icmp">stream_icmp</h3>
<div class="paragraph"><p>What: stream inspector for ICMP flow tracking</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>stream_icmp.session_timeout</strong> = 30: session tracking timeout { 1:max31 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>stream_icmp.sessions</strong>: total icmp sessions (sum)
</p>
</li>
<li>
<p>
<strong>stream_icmp.max</strong>: max icmp sessions (max)
</p>
</li>
<li>
<p>
<strong>stream_icmp.created</strong>: icmp session trackers created (sum)
</p>
</li>
<li>
<p>
<strong>stream_icmp.released</strong>: icmp session trackers released (sum)
</p>
</li>
<li>
<p>
<strong>stream_icmp.timeouts</strong>: icmp session timeouts (sum)
</p>
</li>
<li>
<p>
<strong>stream_icmp.prunes</strong>: icmp session prunes (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_stream_ip">stream_ip</h3>
<div class="paragraph"><p>What: stream inspector for IP flow tracking and defragmentation</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>stream_ip.max_frags</strong> = 8192: maximum number of simultaneous fragments being tracked { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>stream_ip.max_overlaps</strong> = 0: maximum allowed overlaps per datagram; 0 is unlimited { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>stream_ip.min_frag_length</strong> = 0: alert if fragment length is below this limit before or after trimming { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>stream_ip.min_ttl</strong> = 1: discard fragments with TTL below the minimum { 1:255 }
</p>
</li>
<li>
<p>
enum <strong>stream_ip.policy</strong> = linux: fragment reassembly policy { first | linux | bsd | bsd_right | last | windows | solaris }
</p>
</li>
<li>
<p>
int <strong>stream_ip.session_timeout</strong> = 30: session tracking timeout { 1:max31 }
</p>
</li>
<li>
<p>
int <strong>stream_ip.trace</strong>: mask for enabling debug traces in module { 0:max53 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>123:1</strong> (stream_ip) inconsistent IP options on fragmented packets
</p>
</li>
<li>
<p>
<strong>123:2</strong> (stream_ip) teardrop attack
</p>
</li>
<li>
<p>
<strong>123:3</strong> (stream_ip) short fragment, possible DOS attempt
</p>
</li>
<li>
<p>
<strong>123:4</strong> (stream_ip) fragment packet ends after defragmented packet
</p>
</li>
<li>
<p>
<strong>123:5</strong> (stream_ip) zero-byte fragment packet
</p>
</li>
<li>
<p>
<strong>123:6</strong> (stream_ip) bad fragment size, packet size is negative
</p>
</li>
<li>
<p>
<strong>123:7</strong> (stream_ip) bad fragment size, packet size is greater than 65536
</p>
</li>
<li>
<p>
<strong>123:8</strong> (stream_ip) fragmentation overlap
</p>
</li>
<li>
<p>
<strong>123:11</strong> (stream_ip) TTL value less than configured minimum, not using for reassembly
</p>
</li>
<li>
<p>
<strong>123:12</strong> (stream_ip) excessive fragment overlap
</p>
</li>
<li>
<p>
<strong>123:13</strong> (stream_ip) tiny fragment
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>stream_ip.sessions</strong>: total ip sessions (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.max</strong>: max ip sessions (max)
</p>
</li>
<li>
<p>
<strong>stream_ip.created</strong>: ip session trackers created (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.released</strong>: ip session trackers released (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.timeouts</strong>: ip session timeouts (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.prunes</strong>: ip session prunes (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.total_frags</strong>: total fragments (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.current_frags</strong>: current fragments (now)
</p>
</li>
<li>
<p>
<strong>stream_ip.max_frags</strong>: max fragments (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.reassembled</strong>: reassembled datagrams (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.discards</strong>: fragments discarded (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.frag_timeouts</strong>: datagrams abandoned (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.overlaps</strong>: overlapping fragments (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.anomalies</strong>: anomalies detected (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.alerts</strong>: alerts generated (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.drops</strong>: fragments dropped (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.trackers_added</strong>: datagram trackers created (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.trackers_freed</strong>: datagram trackers released (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.trackers_cleared</strong>: datagram trackers cleared (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.trackers_completed</strong>: datagram trackers completed (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.nodes_inserted</strong>: fragments added to tracker (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.nodes_deleted</strong>: fragments deleted from tracker (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.reassembled_bytes</strong>: total reassembled bytes (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.fragmented_bytes</strong>: total fragmented bytes (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_stream_tcp">stream_tcp</h3>
<div class="paragraph"><p>What: stream inspector for TCP flow tracking and stream normalization and reassembly</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>stream_tcp.flush_factor</strong> = 0: flush upon seeing a drop in segment size after given number of non-decreasing segments { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.max_window</strong> = 0: maximum allowed TCP window { 0:1073725440 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.overlap_limit</strong> = 0: maximum number of allowed overlapping segments per session { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.max_pdu</strong> = 16384: maximum reassembled PDU size { 1460:32768 }
</p>
</li>
<li>
<p>
bool <strong>stream_tcp.no_ack</strong> = false: received data is implicitly acked immediately
</p>
</li>
<li>
<p>
enum <strong>stream_tcp.policy</strong> = bsd: determines operating system characteristics like reassembly { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }
</p>
</li>
<li>
<p>
bool <strong>stream_tcp.reassemble_async</strong> = true: queue data for reassembly before traffic is seen in both directions
</p>
</li>
<li>
<p>
int <strong>stream_tcp.require_3whs</strong> = -1: don&#8217;t track midstream sessions after given seconds from start up; -1 tracks all { -1:max31 }
</p>
</li>
<li>
<p>
bool <strong>stream_tcp.show_rebuilt_packets</strong> = false: enable cmg like output of reassembled packets
</p>
</li>
<li>
<p>
int <strong>stream_tcp.queue_limit.max_bytes</strong> = 1048576: don&#8217;t queue more than given bytes per session and direction { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.queue_limit.max_segments</strong> = 2621: don&#8217;t queue more than given segments per session and direction { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.small_segments.count</strong> = 0: limit number of small segments queued { 0:2048 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.small_segments.maximum_size</strong> = 0: limit number of small segments queued { 0:2048 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.session_timeout</strong> = 30: session tracking timeout { 1:max31 }
</p>
</li>
<li>
<p>
bool <strong>stream_tcp.track_only</strong> = false: disable reassembly if true
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>129:1</strong> (stream_tcp) SYN on established session
</p>
</li>
<li>
<p>
<strong>129:2</strong> (stream_tcp) data on SYN packet
</p>
</li>
<li>
<p>
<strong>129:3</strong> (stream_tcp) data sent on stream not accepting data
</p>
</li>
<li>
<p>
<strong>129:4</strong> (stream_tcp) TCP timestamp is outside of PAWS window
</p>
</li>
<li>
<p>
<strong>129:5</strong> (stream_tcp) bad segment, adjusted size &#8656; 0 (deprecated)
</p>
</li>
<li>
<p>
<strong>129:6</strong> (stream_tcp) window size (after scaling) larger than policy allows
</p>
</li>
<li>
<p>
<strong>129:7</strong> (stream_tcp) limit on number of overlapping TCP packets reached
</p>
</li>
<li>
<p>
<strong>129:8</strong> (stream_tcp) data sent on stream after TCP reset sent
</p>
</li>
<li>
<p>
<strong>129:9</strong> (stream_tcp) TCP client possibly hijacked, different ethernet address
</p>
</li>
<li>
<p>
<strong>129:10</strong> (stream_tcp) TCP server possibly hijacked, different ethernet address
</p>
</li>
<li>
<p>
<strong>129:11</strong> (stream_tcp) TCP data with no TCP flags set
</p>
</li>
<li>
<p>
<strong>129:12</strong> (stream_tcp) consecutive TCP small segments exceeding threshold
</p>
</li>
<li>
<p>
<strong>129:13</strong> (stream_tcp) 4-way handshake detected
</p>
</li>
<li>
<p>
<strong>129:14</strong> (stream_tcp) TCP timestamp is missing
</p>
</li>
<li>
<p>
<strong>129:15</strong> (stream_tcp) reset outside window
</p>
</li>
<li>
<p>
<strong>129:16</strong> (stream_tcp) FIN number is greater than prior FIN
</p>
</li>
<li>
<p>
<strong>129:17</strong> (stream_tcp) ACK number is greater than prior FIN
</p>
</li>
<li>
<p>
<strong>129:18</strong> (stream_tcp) data sent on stream after TCP reset received
</p>
</li>
<li>
<p>
<strong>129:19</strong> (stream_tcp) TCP window closed before receiving data
</p>
</li>
<li>
<p>
<strong>129:20</strong> (stream_tcp) TCP session without 3-way handshake
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>stream_tcp.sessions</strong>: total tcp sessions (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.max</strong>: max tcp sessions (max)
</p>
</li>
<li>
<p>
<strong>stream_tcp.created</strong>: tcp session trackers created (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.released</strong>: tcp session trackers released (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.timeouts</strong>: tcp session timeouts (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.prunes</strong>: tcp session prunes (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.instantiated</strong>: new sessions instantiated (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.setups</strong>: session initializations (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.restarts</strong>: sessions restarted (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.resyns</strong>: SYN received on established session (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.discards</strong>: tcp packets discarded (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.events</strong>: events generated (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.ignored</strong>: tcp packets ignored (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.untracked</strong>: tcp packets not tracked (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.syn_trackers</strong>: tcp session tracking started on syn (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.syn_ack_trackers</strong>: tcp session tracking started on syn-ack (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.three_way_trackers</strong>: tcp session tracking started on ack (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.data_trackers</strong>: tcp session tracking started on data (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.segs_queued</strong>: total segments queued (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.segs_released</strong>: total segments released (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.segs_split</strong>: tcp segments split when reassembling PDUs (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.segs_used</strong>: queued tcp segments applied to reassembled PDUs (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.rebuilt_packets</strong>: total reassembled PDUs (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.rebuilt_buffers</strong>: rebuilt PDU sections (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.rebuilt_bytes</strong>: total rebuilt bytes (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.overlaps</strong>: overlapping segments queued (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.gaps</strong>: missing data between PDUs (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.exceeded_max_segs</strong>: number of times the maximum queued segment limit was reached (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.exceeded_max_bytes</strong>: number of times the maximum queued byte limit was reached (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.internal_events</strong>: 135:X events generated (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.client_cleanups</strong>: number of times data from server was flushed when session released (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.server_cleanups</strong>: number of times data from client was flushed when session released (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.memory</strong>: current memory in use (now)
</p>
</li>
<li>
<p>
<strong>stream_tcp.initializing</strong>: number of sessions currently initializing (now)
</p>
</li>
<li>
<p>
<strong>stream_tcp.established</strong>: number of sessions currently established (now)
</p>
</li>
<li>
<p>
<strong>stream_tcp.closing</strong>: number of sessions currently closing (now)
</p>
</li>
<li>
<p>
<strong>stream_tcp.syns</strong>: number of syn packets (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.syn_acks</strong>: number of syn-ack packets (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.resets</strong>: number of reset packets (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.fins</strong>: number of fin packets (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.packets_held</strong>: number of packets held (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.held_packet_rexmits</strong>: number of retransmits of held packets (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.held_packets_dropped</strong>: number of held packets dropped (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.held_packets_passed</strong>: number of held packets passed (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.cur_packets_held</strong>: number of packets currently held (now)
</p>
</li>
<li>
<p>
<strong>stream_tcp.max_packets_held</strong>: maximum number of packets held simultaneously (max)
</p>
</li>
<li>
<p>
<strong>stream_tcp.held_packet_limit_exceeded</strong>: number of times limit of max held packets exceeded (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.partial_flushes</strong>: number of partial flushes initiated (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.partial_flush_bytes</strong>: partial flush total bytes (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_stream_udp">stream_udp</h3>
<div class="paragraph"><p>What: stream inspector for UDP flow tracking</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>stream_udp.session_timeout</strong> = 30: session tracking timeout { 1:max31 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>stream_udp.sessions</strong>: total udp sessions (sum)
</p>
</li>
<li>
<p>
<strong>stream_udp.max</strong>: max udp sessions (max)
</p>
</li>
<li>
<p>
<strong>stream_udp.created</strong>: udp session trackers created (sum)
</p>
</li>
<li>
<p>
<strong>stream_udp.released</strong>: udp session trackers released (sum)
</p>
</li>
<li>
<p>
<strong>stream_udp.timeouts</strong>: udp session timeouts (sum)
</p>
</li>
<li>
<p>
<strong>stream_udp.prunes</strong>: udp session prunes (sum)
</p>
</li>
<li>
<p>
<strong>stream_udp.ignored</strong>: udp packets ignored (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_stream_user">stream_user</h3>
<div class="paragraph"><p>What: stream inspector for user flow tracking and reassembly</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>stream_user.session_timeout</strong> = 30: session tracking timeout { 1:max31 }
</p>
</li>
<li>
<p>
int <strong>stream_user.trace</strong>: mask for enabling debug traces in module { 0:max53 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_telnet_2">telnet</h3>
<div class="paragraph"><p>What: telnet inspection and normalization</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>telnet.ayt_attack_thresh</strong> = -1: alert on this number of consecutive Telnet AYT commands { -1:max31 }
</p>
</li>
<li>
<p>
bool <strong>telnet.check_encrypted</strong> = false: check for end of encryption
</p>
</li>
<li>
<p>
bool <strong>telnet.encrypted_traffic</strong> = false: check for encrypted Telnet and FTP
</p>
</li>
<li>
<p>
bool <strong>telnet.normalize</strong> = false: eliminate escape sequences
</p>
</li>
</ul></div>
<div class="paragraph"><p>Rules:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>126:1</strong> (telnet) consecutive Telnet AYT commands beyond threshold
</p>
</li>
<li>
<p>
<strong>126:2</strong> (telnet) Telnet traffic encrypted
</p>
</li>
<li>
<p>
<strong>126:3</strong> (telnet) Telnet subnegotiation begin command without subnegotiation end
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>telnet.total_packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>telnet.concurrent_sessions</strong>: total concurrent Telnet sessions (now)
</p>
</li>
<li>
<p>
<strong>telnet.max_concurrent_sessions</strong>: maximum concurrent Telnet sessions (max)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_wizard_2">wizard</h3>
<div class="paragraph"><p>What: inspector that implements port-independent protocol identification</p></div>
<div class="paragraph"><p>Type: inspector</p></div>
<div class="paragraph"><p>Usage: inspect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong><code>wizard.hexes[].service</code></strong>: name of service
</p>
</li>
<li>
<p>
select <strong><code>wizard.hexes[].proto</code></strong> = tcp: protocol to scan { tcp | udp }
</p>
</li>
<li>
<p>
bool <strong><code>wizard.hexes[].client_first</code></strong> = true: which end initiates data transfer
</p>
</li>
<li>
<p>
string <strong><code>wizard.hexes[].to_server[].hex</code></strong>: sequence of data with wild chars (?)
</p>
</li>
<li>
<p>
string <strong><code>wizard.hexes[].to_client[].hex</code></strong>: sequence of data with wild chars (?)
</p>
</li>
<li>
<p>
string <strong><code>wizard.spells[].service</code></strong>: name of service
</p>
</li>
<li>
<p>
select <strong><code>wizard.spells[].proto</code></strong> = tcp: protocol to scan { tcp | udp }
</p>
</li>
<li>
<p>
bool <strong><code>wizard.spells[].client_first</code></strong> = true: which end initiates data transfer
</p>
</li>
<li>
<p>
string <strong><code>wizard.spells[].to_server[].spell</code></strong>: sequence of data with wild cards (*)
</p>
</li>
<li>
<p>
string <strong><code>wizard.spells[].to_client[].spell</code></strong>: sequence of data with wild cards (*)
</p>
</li>
<li>
<p>
multi <strong>wizard.curses</strong>: enable service identification based on internal algorithm { dce_smb | dce_udp | dce_tcp }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>wizard.tcp_scans</strong>: tcp payload scans (sum)
</p>
</li>
<li>
<p>
<strong>wizard.tcp_hits</strong>: tcp identifications (sum)
</p>
</li>
<li>
<p>
<strong>wizard.udp_scans</strong>: udp payload scans (sum)
</p>
</li>
<li>
<p>
<strong>wizard.udp_hits</strong>: udp identifications (sum)
</p>
</li>
<li>
<p>
<strong>wizard.user_scans</strong>: user payload scans (sum)
</p>
</li>
<li>
<p>
<strong>wizard.user_hits</strong>: user identifications (sum)
</p>
</li>
</ul></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_ips_action_modules">IPS Action Modules</h2>
<div class="sectionbody">
<div class="paragraph"><p>IPS actions allow you to perform custom actions when events are generated.
Unlike loggers, these are invoked before thresholding and can be used to
control external agents.</p></div>
<div class="paragraph"><p>Externally defined actions must be configured to become available to the
parser.  For the reject rule, you can set reject = { } to get the rule to
parse.</p></div>
<div class="sect2">
<h3 id="_react_2">react</h3>
<div class="paragraph"><p>What: send response to client and terminate session</p></div>
<div class="paragraph"><p>Type: ips_action</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>react.msg</strong> = false:  use rule msg in response page instead of default message
</p>
</li>
<li>
<p>
string <strong>react.page</strong>: file containing HTTP response (headers and body)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_reject_2">reject</h3>
<div class="paragraph"><p>What: terminate session with TCP reset or ICMP unreachable</p></div>
<div class="paragraph"><p>Type: ips_action</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
enum <strong>reject.reset</strong>: send TCP reset to one or both ends { source|dest|both }
</p>
</li>
<li>
<p>
enum <strong>reject.control</strong>: send ICMP unreachable(s) { network|host|port|forward|all }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_rewrite_2">rewrite</h3>
<div class="paragraph"><p>What: overwrite packet contents</p></div>
<div class="paragraph"><p>Type: ips_action</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>rewrite.disable_replace</strong> = false: disable replace of packet contents with rewrite rules
</p>
</li>
</ul></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_ips_option_modules">IPS Option Modules</h2>
<div class="sectionbody">
<div class="paragraph"><p>IPS options are the building blocks of IPS rules.</p></div>
<div class="sect2">
<h3 id="_ack">ack</h3>
<div class="paragraph"><p>What: rule option to match on TCP ack numbers</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
interval <strong>ack.~range</strong>: check if TCP ack value is <em>value | min&lt;&gt;max | &lt;max | &gt;min</em> { 0: }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_appids">appids</h3>
<div class="paragraph"><p>What: detection option for application ids</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>appids.~</strong>: comma separated list of application names
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_asn1">asn1</h3>
<div class="paragraph"><p>What: rule option for asn1 detection</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>asn1.bitstring_overflow</strong>: detects invalid bitstring encodings that are known to be remotely exploitable
</p>
</li>
<li>
<p>
implied <strong>asn1.double_overflow</strong>: detects a double ASCII encoding that is larger than a standard buffer
</p>
</li>
<li>
<p>
implied <strong>asn1.print</strong>: dump decode data to console; always true
</p>
</li>
<li>
<p>
int <strong>asn1.oversize_length</strong>: compares ASN.1 type lengths with the supplied argument { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>asn1.absolute_offset</strong>: absolute offset from the beginning of the packet { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>asn1.relative_offset</strong>: relative offset from the cursor { -65535:65535 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_base64_decode">base64_decode</h3>
<div class="paragraph"><p>What: rule option to decode base64 data - must be used with base64_data option</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>base64_decode.bytes</strong>: number of base64 encoded bytes to decode { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>base64_decode.offset</strong> = 0: bytes past start of buffer to start decoding { 0:max32 }
</p>
</li>
<li>
<p>
implied <strong>base64_decode.relative</strong>: apply offset to cursor instead of start of buffer
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ber_data">ber_data</h3>
<div class="paragraph"><p>What: rule option to move to the data for a specified BER element</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>ber_data.~type</strong>: move to the data for the specified BER element type { 0:255 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ber_skip">ber_skip</h3>
<div class="paragraph"><p>What: rule option to skip BER element</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>ber_skip.~type</strong>: BER element type to skip { 0:255 }
</p>
</li>
<li>
<p>
implied <strong>ber_skip.optional</strong>: match even if the specified BER type is not found
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_bufferlen">bufferlen</h3>
<div class="paragraph"><p>What: rule option to check length of current buffer</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
interval <strong>bufferlen.~range</strong>: check that length of current buffer is in given range { 0:65535 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_byte_extract_2">byte_extract</h3>
<div class="paragraph"><p>What: rule option to convert data to an integer variable</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>byte_extract.~count</strong>: number of bytes to pick up from the buffer { 1:10 }
</p>
</li>
<li>
<p>
int <strong>byte_extract.~offset</strong>: number of bytes into the buffer to start processing { -65535:65535 }
</p>
</li>
<li>
<p>
string <strong>byte_extract.~name</strong>: name of the variable that will be used in other rule options
</p>
</li>
<li>
<p>
implied <strong>byte_extract.relative</strong>: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
int <strong>byte_extract.multiplier</strong> = 1: scale extracted value by given amount { 1:65535 }
</p>
</li>
<li>
<p>
int <strong>byte_extract.align</strong> = 0: round the number of converted bytes up to the next 2- or 4-byte boundary { 0:4 }
</p>
</li>
<li>
<p>
implied <strong>byte_extract.big</strong>: big endian
</p>
</li>
<li>
<p>
implied <strong>byte_extract.little</strong>: little endian
</p>
</li>
<li>
<p>
implied <strong>byte_extract.dce</strong>: dcerpc2 determines endianness
</p>
</li>
<li>
<p>
implied <strong>byte_extract.string</strong>: convert from string
</p>
</li>
<li>
<p>
implied <strong>byte_extract.hex</strong>: convert from hex string
</p>
</li>
<li>
<p>
implied <strong>byte_extract.oct</strong>: convert from octal string
</p>
</li>
<li>
<p>
implied <strong>byte_extract.dec</strong>: convert from decimal string
</p>
</li>
<li>
<p>
int <strong>byte_extract.bitmask</strong>: applies as an AND to the extracted value before storage in <em>name</em> { 0x1:0xFFFFFFFF }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_byte_jump_2">byte_jump</h3>
<div class="paragraph"><p>What: rule option to move the detection cursor</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>byte_jump.~count</strong>: number of bytes to pick up from the buffer { 0:10 }
</p>
</li>
<li>
<p>
string <strong>byte_jump.~offset</strong>: variable name or number of bytes into the buffer to start processing
</p>
</li>
<li>
<p>
implied <strong>byte_jump.relative</strong>: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
implied <strong>byte_jump.from_beginning</strong>: jump from start of buffer instead of cursor
</p>
</li>
<li>
<p>
implied <strong>byte_jump.from_end</strong>: jump backward from end of buffer
</p>
</li>
<li>
<p>
int <strong>byte_jump.multiplier</strong> = 1: scale extracted value by given amount { 1:65535 }
</p>
</li>
<li>
<p>
int <strong>byte_jump.align</strong> = 0: round the number of converted bytes up to the next 2- or 4-byte boundary { 0:4 }
</p>
</li>
<li>
<p>
string <strong>byte_jump.post_offset</strong>: skip forward or backward (positive or negative value) by variable name or number of bytes after the other jump options have been applied
</p>
</li>
<li>
<p>
implied <strong>byte_jump.big</strong>: big endian
</p>
</li>
<li>
<p>
implied <strong>byte_jump.little</strong>: little endian
</p>
</li>
<li>
<p>
implied <strong>byte_jump.dce</strong>: dcerpc2 determines endianness
</p>
</li>
<li>
<p>
implied <strong>byte_jump.string</strong>: convert from string
</p>
</li>
<li>
<p>
implied <strong>byte_jump.hex</strong>: convert from hex string
</p>
</li>
<li>
<p>
implied <strong>byte_jump.oct</strong>: convert from octal string
</p>
</li>
<li>
<p>
implied <strong>byte_jump.dec</strong>: convert from decimal string
</p>
</li>
<li>
<p>
int <strong>byte_jump.bitmask</strong>: applies as an AND prior to evaluation { 0x1:0xFFFFFFFF }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_byte_math_2">byte_math</h3>
<div class="paragraph"><p>What: rule option to perform mathematical operations on extracted value and a specified value or existing variable</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>byte_math.bytes</strong>: number of bytes to pick up from the buffer { 1:10 }
</p>
</li>
<li>
<p>
string <strong>byte_math.offset</strong>: number of bytes into the buffer to start processing
</p>
</li>
<li>
<p>
enum <strong>byte_math.oper</strong>: mathematical operation to perform { +|-|*|/|&lt;&lt;|&gt;&gt; }
</p>
</li>
<li>
<p>
string <strong>byte_math.rvalue</strong>: value to use mathematical operation against
</p>
</li>
<li>
<p>
string <strong>byte_math.result</strong>: name of the variable to store the result
</p>
</li>
<li>
<p>
implied <strong>byte_math.relative</strong>: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
enum <strong>byte_math.endian</strong>: specify big/little endian { big|little }
</p>
</li>
<li>
<p>
implied <strong>byte_math.dce</strong>: dcerpc2 determines endianness
</p>
</li>
<li>
<p>
enum <strong>byte_math.string</strong>: convert extracted string to dec/hex/oct { hex|dec|oct }
</p>
</li>
<li>
<p>
int <strong>byte_math.bitmask</strong>: applies as bitwise AND to the extracted value before storage in <em>name</em> { 0x1:0xFFFFFFFF }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_byte_test_2">byte_test</h3>
<div class="paragraph"><p>What: rule option to convert data to integer and compare</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>byte_test.~count</strong>: number of bytes to pick up from the buffer { 1:10 }
</p>
</li>
<li>
<p>
string <strong>byte_test.~operator</strong>: operation to perform to test the value
</p>
</li>
<li>
<p>
string <strong>byte_test.~compare</strong>: variable name or value to test the converted result against
</p>
</li>
<li>
<p>
string <strong>byte_test.~offset</strong>: variable name or number of bytes into the payload to start processing
</p>
</li>
<li>
<p>
implied <strong>byte_test.relative</strong>: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
implied <strong>byte_test.big</strong>: big endian
</p>
</li>
<li>
<p>
implied <strong>byte_test.little</strong>: little endian
</p>
</li>
<li>
<p>
implied <strong>byte_test.dce</strong>: dcerpc2 determines endianness
</p>
</li>
<li>
<p>
implied <strong>byte_test.string</strong>: convert from string
</p>
</li>
<li>
<p>
implied <strong>byte_test.hex</strong>: convert from hex string
</p>
</li>
<li>
<p>
implied <strong>byte_test.oct</strong>: convert from octal string
</p>
</li>
<li>
<p>
implied <strong>byte_test.dec</strong>: convert from decimal string
</p>
</li>
<li>
<p>
int <strong>byte_test.bitmask</strong>: applies as an AND prior to evaluation { 0x1:0xFFFFFFFF }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_classtype">classtype</h3>
<div class="paragraph"><p>What: general rule option for rule classification</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>classtype.~</strong>: classification for this rule
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_content">content</h3>
<div class="paragraph"><p>What: payload rule option for basic pattern matching</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>content.~data</strong>: data to match
</p>
</li>
<li>
<p>
implied <strong>content.nocase</strong>: case insensitive match
</p>
</li>
<li>
<p>
implied <strong>content.fast_pattern</strong>: use this content in the fast pattern matcher instead of the content selected by default
</p>
</li>
<li>
<p>
int <strong>content.fast_pattern_offset</strong> = 0: number of leading characters of this content the fast pattern matcher should exclude { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>content.fast_pattern_length</strong>: maximum number of characters from this content the fast pattern matcher should use { 1:65535 }
</p>
</li>
<li>
<p>
string <strong>content.offset</strong>: var or number of bytes from start of buffer to start search
</p>
</li>
<li>
<p>
string <strong>content.depth</strong>: var or maximum number of bytes to search from beginning of buffer
</p>
</li>
<li>
<p>
string <strong>content.distance</strong>: var or number of bytes from cursor to start search
</p>
</li>
<li>
<p>
string <strong>content.within</strong>: var or maximum number of bytes to search from cursor
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_cvs">cvs</h3>
<div class="paragraph"><p>What: payload rule option for detecting specific attacks</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>cvs.invalid-entry</strong>: looks for an invalid Entry string
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_dce_iface_2">dce_iface</h3>
<div class="paragraph"><p>What: detection option to check dcerpc interface</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>dce_iface.uuid</strong>: match given dcerpc uuid
</p>
</li>
<li>
<p>
interval <strong>dce_iface.version</strong>: interface version { 0: }
</p>
</li>
<li>
<p>
implied <strong>dce_iface.any_frag</strong>: match on any fragment
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_dce_opnum_2">dce_opnum</h3>
<div class="paragraph"><p>What: detection option to check dcerpc operation number</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>dce_opnum.~</strong>: match given dcerpc operation number, range or list
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_dce_stub_data_2">dce_stub_data</h3>
<div class="paragraph"><p>What: sets the cursor to dcerpc stub data</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
</div>
<div class="sect2">
<h3 id="_detection_filter">detection_filter</h3>
<div class="paragraph"><p>What: rule option to require multiple hits before a rule generates an event</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
enum <strong>detection_filter.track</strong>: track hits by source or destination IP address { by_src | by_dst }
</p>
</li>
<li>
<p>
int <strong>detection_filter.count</strong>: hits in interval before allowing the rule to fire { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>detection_filter.seconds</strong>: length of interval to count hits { 1:max32 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_dnp3_data">dnp3_data</h3>
<div class="paragraph"><p>What: sets the cursor to dnp3 data</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
</div>
<div class="sect2">
<h3 id="_dnp3_func">dnp3_func</h3>
<div class="paragraph"><p>What: detection option to check DNP3 function code</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>dnp3_func.~</strong>: match DNP3 function code or name
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_dnp3_ind">dnp3_ind</h3>
<div class="paragraph"><p>What: detection option to check DNP3 indicator flags</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>dnp3_ind.~</strong>: match given DNP3 indicator flags
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_dnp3_obj">dnp3_obj</h3>
<div class="paragraph"><p>What: detection option to check DNP3 object headers</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>dnp3_obj.group</strong> = 0: match given DNP3 object header group { 0:255 }
</p>
</li>
<li>
<p>
int <strong>dnp3_obj.var</strong> = 0: match given DNP3 object header var { 0:255 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_dsize">dsize</h3>
<div class="paragraph"><p>What: rule option to test payload size</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
interval <strong>dsize.~range</strong>: check if packet payload size is in the given range { 0:65535 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_file_data">file_data</h3>
<div class="paragraph"><p>What: rule option to set detection cursor to file data</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
</div>
<div class="sect2">
<h3 id="_file_type">file_type</h3>
<div class="paragraph"><p>What: rule option to check file type</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>file_type.~</strong>: list of file type IDs to match
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_flags">flags</h3>
<div class="paragraph"><p>What: rule option to test TCP control flags</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>flags.~test_flags</strong>: these flags are tested
</p>
</li>
<li>
<p>
string <strong>flags.~mask_flags</strong>: these flags are don&#8217;t cares
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_flow">flow</h3>
<div class="paragraph"><p>What: rule option to check session properties</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>flow.to_client</strong>: match on server responses
</p>
</li>
<li>
<p>
implied <strong>flow.to_server</strong>: match on client requests
</p>
</li>
<li>
<p>
implied <strong>flow.from_client</strong>: same as to_server
</p>
</li>
<li>
<p>
implied <strong>flow.from_server</strong>: same as to_client
</p>
</li>
<li>
<p>
implied <strong>flow.established</strong>: match only during data transfer phase
</p>
</li>
<li>
<p>
implied <strong>flow.not_established</strong>: match only outside data transfer phase
</p>
</li>
<li>
<p>
implied <strong>flow.stateless</strong>: match regardless of stream state
</p>
</li>
<li>
<p>
implied <strong>flow.no_stream</strong>: match on raw packets only
</p>
</li>
<li>
<p>
implied <strong>flow.only_stream</strong>: match on reassembled packets only
</p>
</li>
<li>
<p>
implied <strong>flow.no_frag</strong>: match on raw packets only
</p>
</li>
<li>
<p>
implied <strong>flow.only_frag</strong>: match on defragmented packets only
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_flowbits">flowbits</h3>
<div class="paragraph"><p>What: rule option to set and test arbitrary boolean flags</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>flowbits.~command</strong>: set|reset|isset|etc.
</p>
</li>
<li>
<p>
string <strong>flowbits.~arg1</strong>: bits or group
</p>
</li>
<li>
<p>
string <strong>flowbits.~arg2</strong>: group if arg1 is bits
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_fragbits">fragbits</h3>
<div class="paragraph"><p>What: rule option to test IP frag flags</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>fragbits.~flags</strong>: these flags are tested
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_fragoffset">fragoffset</h3>
<div class="paragraph"><p>What: rule option to test IP frag offset</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
interval <strong>fragoffset.~range</strong>: check if ip fragment offset is in given range { 0:8192 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_gid">gid</h3>
<div class="paragraph"><p>What: rule option specifying rule generator</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>gid.~</strong>: generator id { 1:max32 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_gtp_info">gtp_info</h3>
<div class="paragraph"><p>What: rule option to check gtp info element</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>gtp_info.~</strong>: info element to match
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_gtp_type">gtp_type</h3>
<div class="paragraph"><p>What: rule option to check gtp types</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>gtp_type.~</strong>: list of types to match
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_gtp_version">gtp_version</h3>
<div class="paragraph"><p>What: rule option to check GTP version</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>gtp_version.~</strong>: version to match { 0:2 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http2_decoded_header">http2_decoded_header</h3>
<div class="paragraph"><p>What: rule option to set detection cursor to the decoded HTTP/2 header</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
</div>
<div class="sect2">
<h3 id="_http2_frame_data">http2_frame_data</h3>
<div class="paragraph"><p>What: rule option to set detection cursor to the HTTP/2 frame body</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
</div>
<div class="sect2">
<h3 id="_http2_frame_header">http2_frame_header</h3>
<div class="paragraph"><p>What: rule option to set detection cursor to the 9-octet HTTP/2 frame header</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
</div>
<div class="sect2">
<h3 id="_http_client_body_2">http_client_body</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the request body</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
</div>
<div class="sect2">
<h3 id="_http_cookie">http_cookie</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP cookie</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>http_cookie.request</strong>: match against the cookie from the request message even when examining the response
</p>
</li>
<li>
<p>
implied <strong>http_cookie.with_header</strong>: this rule is limited to examining HTTP message headers
</p>
</li>
<li>
<p>
implied <strong>http_cookie.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_cookie.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http_header">http_header</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized headers</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>http_header.field</strong>: restrict to given header. Header name is case insensitive.
</p>
</li>
<li>
<p>
implied <strong>http_header.request</strong>: match against the headers from the request message even when examining the response
</p>
</li>
<li>
<p>
implied <strong>http_header.with_header</strong>: this rule is limited to examining HTTP message headers
</p>
</li>
<li>
<p>
implied <strong>http_header.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_header.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http_method_2">http_method</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP request method</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>http_method.with_header</strong>: this rule is limited to examining HTTP message headers
</p>
</li>
<li>
<p>
implied <strong>http_method.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_method.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http_raw_body_2">http_raw_body</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized message body</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
</div>
<div class="sect2">
<h3 id="_http_raw_cookie">http_raw_cookie</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized cookie</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>http_raw_cookie.request</strong>: match against the cookie from the request message even when examining the response
</p>
</li>
<li>
<p>
implied <strong>http_raw_cookie.with_header</strong>: this rule is limited to examining HTTP message headers
</p>
</li>
<li>
<p>
implied <strong>http_raw_cookie.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_raw_cookie.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http_raw_header">http_raw_header</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized headers</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>http_raw_header.request</strong>: match against the headers from the request message even when examining the response
</p>
</li>
<li>
<p>
implied <strong>http_raw_header.with_header</strong>: this rule is limited to examining HTTP message headers
</p>
</li>
<li>
<p>
implied <strong>http_raw_header.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_raw_header.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http_raw_request">http_raw_request</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized request line</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>http_raw_request.with_header</strong>: this rule is limited to examining HTTP message headers
</p>
</li>
<li>
<p>
implied <strong>http_raw_request.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_raw_request.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http_raw_status">http_raw_status</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized status line</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>http_raw_status.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_raw_status.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http_raw_trailer">http_raw_trailer</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized trailers</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>http_raw_trailer.request</strong>: match against the trailers from the request message even when examining the response
</p>
</li>
<li>
<p>
implied <strong>http_raw_trailer.with_header</strong>: parts of this rule examine HTTP response message headers (must be combined with request)
</p>
</li>
<li>
<p>
implied <strong>http_raw_trailer.with_body</strong>: parts of this rule examine HTTP response message body (must be combined with request)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http_raw_uri">http_raw_uri</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized URI</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>http_raw_uri.with_header</strong>: this rule is limited to examining HTTP message headers
</p>
</li>
<li>
<p>
implied <strong>http_raw_uri.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_raw_uri.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
<li>
<p>
implied <strong>http_raw_uri.scheme</strong>: match against scheme section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_raw_uri.host</strong>: match against host section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_raw_uri.port</strong>: match against port section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_raw_uri.path</strong>: match against path section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_raw_uri.query</strong>: match against query section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_raw_uri.fragment</strong>: match against fragment section of URI only
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http_stat_code_2">http_stat_code</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP status code</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>http_stat_code.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_stat_code.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http_stat_msg_2">http_stat_msg</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the HTTP status message</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>http_stat_msg.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_stat_msg.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http_trailer">http_trailer</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized trailers</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>http_trailer.field</strong>: restrict to given trailer
</p>
</li>
<li>
<p>
implied <strong>http_trailer.request</strong>: match against the trailers from the request message even when examining the response
</p>
</li>
<li>
<p>
implied <strong>http_trailer.with_header</strong>: parts of this rule examine HTTP response message headers (must be combined with request)
</p>
</li>
<li>
<p>
implied <strong>http_trailer.with_body</strong>: parts of this rule examine HTTP message body (must be combined with request)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http_true_ip_2">http_true_ip</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the final client IP address</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>http_true_ip.with_header</strong>: this rule is limited to examining HTTP message headers
</p>
</li>
<li>
<p>
implied <strong>http_true_ip.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_true_ip.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http_uri">http_uri</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized URI buffer</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>http_uri.with_header</strong>: this rule is limited to examining HTTP message headers
</p>
</li>
<li>
<p>
implied <strong>http_uri.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_uri.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
<li>
<p>
implied <strong>http_uri.scheme</strong>: match against scheme section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_uri.host</strong>: match against host section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_uri.port</strong>: match against port section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_uri.path</strong>: match against path section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_uri.query</strong>: match against query section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_uri.fragment</strong>: match against fragment section of URI only
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_http_version_2">http_version</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the version buffer</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>http_version.request</strong>: match against the version from the request message even when examining the response
</p>
</li>
<li>
<p>
implied <strong>http_version.with_header</strong>: this rule is limited to examining HTTP message headers
</p>
</li>
<li>
<p>
implied <strong>http_version.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_version.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_icmp_id">icmp_id</h3>
<div class="paragraph"><p>What: rule option to check ICMP ID</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
interval <strong>icmp_id.~range</strong>: check if ICMP ID is in given range { 0:65535 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_icmp_seq">icmp_seq</h3>
<div class="paragraph"><p>What: rule option to check ICMP sequence number</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
interval <strong>icmp_seq.~range</strong>: check if ICMP sequence number is in given range { 0:65535 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_icode">icode</h3>
<div class="paragraph"><p>What: rule option to check ICMP code</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
interval <strong>icode.~range</strong>: check if ICMP code is in given range is { 0:255 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_id">id</h3>
<div class="paragraph"><p>What: rule option to check the IP ID field</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
interval <strong>id.~range</strong>: check if the IP ID is in the given range { 0: }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ip_proto">ip_proto</h3>
<div class="paragraph"><p>What: rule option to check the IP protocol number</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>ip_proto.~proto</strong>: [!|&gt;|&lt;] name or number
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ipopts">ipopts</h3>
<div class="paragraph"><p>What: rule option to check for IP options</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
select <strong>ipopts.~opt</strong>: output format { rr|eol|nop|ts|sec|esec|lsrr|lsrre|ssrr|satid|any }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_isdataat">isdataat</h3>
<div class="paragraph"><p>What: rule option to check for the presence of payload data</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>isdataat.~length</strong>: num | !num
</p>
</li>
<li>
<p>
implied <strong>isdataat.relative</strong>: offset from cursor instead of start of buffer
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_itype">itype</h3>
<div class="paragraph"><p>What: rule option to check ICMP type</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
interval <strong>itype.~range</strong>: check if ICMP type is in given range { 0:255 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_md5">md5</h3>
<div class="paragraph"><p>What: payload rule option for hash matching</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>md5.~hash</strong>: data to match
</p>
</li>
<li>
<p>
int <strong>md5.length</strong>: number of octets in plain text { 1:65535 }
</p>
</li>
<li>
<p>
string <strong>md5.offset</strong>: var or number of bytes from start of buffer to start search
</p>
</li>
<li>
<p>
implied <strong>md5.relative</strong> = false: offset from cursor instead of start of buffer
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_metadata">metadata</h3>
<div class="paragraph"><p>What: rule option for conveying arbitrary name, value data within the rule text</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong><code>metadata.*</code></strong>: comma-separated list of arbitrary name value pairs
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_modbus_data">modbus_data</h3>
<div class="paragraph"><p>What: rule option to set cursor to modbus data</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
</div>
<div class="sect2">
<h3 id="_modbus_func">modbus_func</h3>
<div class="paragraph"><p>What: rule option to check modbus function code</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>modbus_func.~</strong>: function code to match
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_modbus_unit">modbus_unit</h3>
<div class="paragraph"><p>What: rule option to check Modbus unit ID</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>modbus_unit.~</strong>: Modbus unit ID { 0:255 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_msg">msg</h3>
<div class="paragraph"><p>What: rule option summarizing rule purpose output with events</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>msg.~</strong>: message describing rule
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_mss">mss</h3>
<div class="paragraph"><p>What: detection for TCP maximum segment size</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
interval <strong>mss.~range</strong>: check if TCP MSS is in given range { 0:65535 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_pcre">pcre</h3>
<div class="paragraph"><p>What: rule option for matching payload data with pcre</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>pcre.~re</strong>: Snort regular expression
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_pkt_data">pkt_data</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the normalized packet data</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
</div>
<div class="sect2">
<h3 id="_pkt_num">pkt_num</h3>
<div class="paragraph"><p>What: alert on raw packet number</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
interval <strong>pkt_num.~range</strong>: check if packet number is in given range { 1: }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_priority">priority</h3>
<div class="paragraph"><p>What: rule option for prioritizing events</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>priority.~</strong>: relative severity level; 1 is highest priority { 1:max31 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_raw_data">raw_data</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the raw packet data</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
</div>
<div class="sect2">
<h3 id="_reference">reference</h3>
<div class="paragraph"><p>What: rule option to indicate relevant attack identification system</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>reference.~scheme</strong>: reference scheme
</p>
</li>
<li>
<p>
string <strong>reference.~id</strong>: reference id
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_regex">regex</h3>
<div class="paragraph"><p>What: rule option for matching payload data with hyperscan regex</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>regex.~re</strong>: hyperscan regular expression
</p>
</li>
<li>
<p>
implied <strong>regex.dotall</strong>: matching a . will not exclude newlines
</p>
</li>
<li>
<p>
implied <strong>regex.fast_pattern</strong>: use this content in the fast pattern matcher instead of the content selected by default
</p>
</li>
<li>
<p>
implied <strong>regex.multiline</strong>: ^ and $ anchors match any newlines in data
</p>
</li>
<li>
<p>
implied <strong>regex.nocase</strong>: case insensitive match
</p>
</li>
<li>
<p>
implied <strong>regex.relative</strong>: start search from end of last match instead of start of buffer
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_rem">rem</h3>
<div class="paragraph"><p>What: rule option to convey an arbitrary comment in the rule body</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>rem.~</strong>: comment
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_replace">replace</h3>
<div class="paragraph"><p>What: rule option to overwrite payload data; use with rewrite action</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>replace.~</strong>: byte code to replace with
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_rev">rev</h3>
<div class="paragraph"><p>What: rule option to indicate current revision of signature</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>rev.~</strong>: revision { 1:max32 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_rpc">rpc</h3>
<div class="paragraph"><p>What: rule option to check SUNRPC CALL parameters</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>rpc.~app</strong>: application number { 0:max32 }
</p>
</li>
<li>
<p>
string <strong>rpc.~ver</strong>: version number or * for any
</p>
</li>
<li>
<p>
string <strong>rpc.~proc</strong>: procedure number or * for any
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_sd_pattern">sd_pattern</h3>
<div class="paragraph"><p>What: rule option for detecting sensitive data</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>sd_pattern.~pattern</strong>: The pattern to search for
</p>
</li>
<li>
<p>
int <strong>sd_pattern.threshold</strong> = 1: number of matches before alerting { 1:max32 }
</p>
</li>
</ul></div>
<div class="paragraph"><p>Peg counts:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>sd_pattern.below_threshold</strong>: sd_pattern matched but missed threshold (sum)
</p>
</li>
<li>
<p>
<strong>sd_pattern.pattern_not_found</strong>: sd_pattern did not not match (sum)
</p>
</li>
<li>
<p>
<strong>sd_pattern.terminated</strong>: hyperscan terminated (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_seq">seq</h3>
<div class="paragraph"><p>What: rule option to check TCP sequence number</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
interval <strong>seq.~range</strong>: check if TCP sequence number is in given range { 0: }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_service">service</h3>
<div class="paragraph"><p>What: rule option to specify list of services for grouping rules</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong><code>service.*</code></strong>: one or more comma-separated service names
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_session">session</h3>
<div class="paragraph"><p>What: rule option to check user data from TCP sessions</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
enum <strong>session.~mode</strong>: output format { printable|binary|all }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_sha256">sha256</h3>
<div class="paragraph"><p>What: payload rule option for hash matching</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>sha256.~hash</strong>: data to match
</p>
</li>
<li>
<p>
int <strong>sha256.length</strong>: number of octets in plain text { 1:65535 }
</p>
</li>
<li>
<p>
string <strong>sha256.offset</strong>: var or number of bytes from start of buffer to start search
</p>
</li>
<li>
<p>
implied <strong>sha256.relative</strong> = false: offset from cursor instead of start of buffer
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_sha512">sha512</h3>
<div class="paragraph"><p>What: payload rule option for hash matching</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>sha512.~hash</strong>: data to match
</p>
</li>
<li>
<p>
int <strong>sha512.length</strong>: number of octets in plain text { 1:65535 }
</p>
</li>
<li>
<p>
string <strong>sha512.offset</strong>: var or number of bytes from start of buffer to start search
</p>
</li>
<li>
<p>
implied <strong>sha512.relative</strong> = false: offset from cursor instead of start of buffer
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_sid">sid</h3>
<div class="paragraph"><p>What: rule option to indicate signature number</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>sid.~</strong>: signature id { 1:max32 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_sip_body">sip_body</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the request body</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
</div>
<div class="sect2">
<h3 id="_sip_header">sip_header</h3>
<div class="paragraph"><p>What: rule option to set the detection cursor to the SIP header buffer</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
</div>
<div class="sect2">
<h3 id="_sip_method">sip_method</h3>
<div class="paragraph"><p>What: detection option for sip stat code</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong><code>sip_method.*method</code></strong>: sip method
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_sip_stat_code">sip_stat_code</h3>
<div class="paragraph"><p>What: detection option for sip stat code</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong><code>sip_stat_code.*code</code></strong>: status code { 1:999 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_so">so</h3>
<div class="paragraph"><p>What: rule option to call custom eval function</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>so.~func</strong>: name of eval function
</p>
</li>
<li>
<p>
implied <strong>so.relative</strong>: offset from cursor instead of start of buffer
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_soid">soid</h3>
<div class="paragraph"><p>What: rule option to specify a shared object rule ID</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>soid.~</strong>: SO rule ID is unique key, eg &lt;gid&gt;_&lt;sid&gt;_&lt;rev&gt; like 3_45678_9
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ssl_state">ssl_state</h3>
<div class="paragraph"><p>What: detection option for ssl state</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>ssl_state.client_hello</strong>: check for client hello
</p>
</li>
<li>
<p>
implied <strong>ssl_state.server_hello</strong>: check for server hello
</p>
</li>
<li>
<p>
implied <strong>ssl_state.client_keyx</strong>: check for client keyx
</p>
</li>
<li>
<p>
implied <strong>ssl_state.server_keyx</strong>: check for server keyx
</p>
</li>
<li>
<p>
implied <strong>ssl_state.unknown</strong>: check for unknown record
</p>
</li>
<li>
<p>
implied <strong>ssl_state.!client_hello</strong>: check for records that are not client hello
</p>
</li>
<li>
<p>
implied <strong>ssl_state.!server_hello</strong>: check for records that are not server hello
</p>
</li>
<li>
<p>
implied <strong>ssl_state.!client_keyx</strong>: check for records that are not client keyx
</p>
</li>
<li>
<p>
implied <strong>ssl_state.!server_keyx</strong>: check for records that are not server keyx
</p>
</li>
<li>
<p>
implied <strong>ssl_state.!unknown</strong>: check for records that are not unknown
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ssl_version">ssl_version</h3>
<div class="paragraph"><p>What: detection option for ssl version</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
implied <strong>ssl_version.sslv2</strong>: check for sslv2
</p>
</li>
<li>
<p>
implied <strong>ssl_version.sslv3</strong>: check for sslv3
</p>
</li>
<li>
<p>
implied <strong>ssl_version.tls1.0</strong>: check for tls1.0
</p>
</li>
<li>
<p>
implied <strong>ssl_version.tls1.1</strong>: check for tls1.1
</p>
</li>
<li>
<p>
implied <strong>ssl_version.tls1.2</strong>: check for tls1.2
</p>
</li>
<li>
<p>
implied <strong>ssl_version.!sslv2</strong>: check for records that are not sslv2
</p>
</li>
<li>
<p>
implied <strong>ssl_version.!sslv3</strong>: check for records that are not sslv3
</p>
</li>
<li>
<p>
implied <strong>ssl_version.!tls1.0</strong>: check for records that are not tls1.0
</p>
</li>
<li>
<p>
implied <strong>ssl_version.!tls1.1</strong>: check for records that are not tls1.1
</p>
</li>
<li>
<p>
implied <strong>ssl_version.!tls1.2</strong>: check for records that are not tls1.2
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_stream_reassemble">stream_reassemble</h3>
<div class="paragraph"><p>What: detection option for stream reassembly control</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
enum <strong>stream_reassemble.action</strong>: stop or start stream reassembly { disable|enable }
</p>
</li>
<li>
<p>
enum <strong>stream_reassemble.direction</strong>: action applies to the given direction(s) { client|server|both }
</p>
</li>
<li>
<p>
implied <strong>stream_reassemble.noalert</strong>: don&#8217;t alert when rule matches
</p>
</li>
<li>
<p>
implied <strong>stream_reassemble.fastpath</strong>: optionally whitelist the remainder of the session
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_stream_size">stream_size</h3>
<div class="paragraph"><p>What: detection option for stream size checking</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
interval <strong>stream_size.~range</strong>: check if the stream size is in the given range { 0: }
</p>
</li>
<li>
<p>
enum <strong>stream_size.~direction</strong>: compare applies to the given direction(s) { either|to_server|to_client|both }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_tag">tag</h3>
<div class="paragraph"><p>What: rule option to log additional packets</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
enum <strong>tag.~</strong>: log all packets in session or all packets to or from host { session|host_src|host_dst }
</p>
</li>
<li>
<p>
int <strong>tag.packets</strong>: tag this many packets { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>tag.seconds</strong>: tag for this many seconds { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>tag.bytes</strong>: tag for this many bytes { 1:max32 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_target">target</h3>
<div class="paragraph"><p>What: rule option to indicate target of attack</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
enum <strong>target.~</strong>: indicate the target of the attack { src_ip | dst_ip }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_tos">tos</h3>
<div class="paragraph"><p>What: rule option to check type of service field</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
interval <strong>tos.~range</strong>: check if IP TOS is in given range { 0:255 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ttl">ttl</h3>
<div class="paragraph"><p>What: rule option to check time to live field</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
interval <strong>ttl.~range</strong>: check if IP TTL is in the given range { 0:255 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_urg">urg</h3>
<div class="paragraph"><p>What: detection for TCP urgent pointer</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
interval <strong>urg.~range</strong>: check if tcp urgent offset is in given range { 0:65535 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_window">window</h3>
<div class="paragraph"><p>What: rule option to check TCP window field</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
interval <strong>window.~range</strong>: check if TCP window size is in given range { 0:65535 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_wscale">wscale</h3>
<div class="paragraph"><p>What: detection for TCP window scale</p></div>
<div class="paragraph"><p>Type: ips_option</p></div>
<div class="paragraph"><p>Usage: detect</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
interval <strong>wscale.~range</strong>: check if TCP window scale is in given range { 0:65535 }
</p>
</li>
</ul></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_search_engine_modules">Search Engine Modules</h2>
<div class="sectionbody">
<div class="paragraph"><p>Search engines perform multipattern searching of packets and payload to find
rules that should be evaluated.  There are currently no specific modules,
although there are several search engine plugins.  Related configuration
is done with the basic detection module.</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_so_rule_modules">SO Rule Modules</h2>
<div class="sectionbody">
<div class="paragraph"><p>SO rules are dynamic rules that require custom coding to perform detection
not possible with the existing rule options.  These rules typically do not
have associated modules.</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_logger_modules">Logger Modules</h2>
<div class="sectionbody">
<div class="paragraph"><p>All output of events and packets is done by Loggers.</p></div>
<div class="sect2">
<h3 id="_alert_csv">alert_csv</h3>
<div class="paragraph"><p>What: output event in csv format</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>alert_csv.file</strong> = false: output to alert_csv.txt instead of stdout
</p>
</li>
<li>
<p>
multi <strong>alert_csv.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }
</p>
</li>
<li>
<p>
int <strong>alert_csv.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
</p>
</li>
<li>
<p>
string <strong>alert_csv.separator</strong> = , : separate fields with this character sequence
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_alert_ex">alert_ex</h3>
<div class="paragraph"><p>What: output gid:sid:rev for alerts</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>alert_ex.upper</strong> = false: true/false &#8594; convert to upper/lower case
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_alert_fast">alert_fast</h3>
<div class="paragraph"><p>What: output event with brief text format</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>alert_fast.file</strong> = false: output to alert_fast.txt instead of stdout
</p>
</li>
<li>
<p>
bool <strong>alert_fast.packet</strong> = false: output packet dump with alert
</p>
</li>
<li>
<p>
int <strong>alert_fast.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_alert_full">alert_full</h3>
<div class="paragraph"><p>What: output event with full packet dump</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>alert_full.file</strong> = false: output to alert_full.txt instead of stdout
</p>
</li>
<li>
<p>
int <strong>alert_full.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_alert_json">alert_json</h3>
<div class="paragraph"><p>What: output event in json format</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>alert_json.file</strong> = false: output to alert_json.txt instead of stdout
</p>
</li>
<li>
<p>
multi <strong>alert_json.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }
</p>
</li>
<li>
<p>
int <strong>alert_json.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
</p>
</li>
<li>
<p>
string <strong>alert_json.separator</strong> = , : separate fields with this character sequence
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_alert_sfsocket">alert_sfsocket</h3>
<div class="paragraph"><p>What: output event over socket</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
string <strong>alert_sfsocket.file</strong>: name of unix socket file
</p>
</li>
<li>
<p>
int <strong><code>alert_sfsocket.rules[].gid</code></strong> = 1: rule generator ID { 1:max32 }
</p>
</li>
<li>
<p>
int <strong><code>alert_sfsocket.rules[].sid</code></strong> = 1: rule signature ID { 1:max32 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_alert_syslog">alert_syslog</h3>
<div class="paragraph"><p>What: output event to syslog</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
enum <strong>alert_syslog.facility</strong> = auth: part of priority applied to each message { auth | authpriv | daemon | user | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 }
</p>
</li>
<li>
<p>
enum <strong>alert_syslog.level</strong> = info: part of priority applied to each message { emerg | alert | crit | err | warning | notice | info | debug }
</p>
</li>
<li>
<p>
multi <strong>alert_syslog.options</strong>: used to open the syslog connection { cons | ndelay | perror | pid }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_alert_talos">alert_talos</h3>
<div class="paragraph"><p>What: output event in Talos alert format</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Usage: context</p></div>
</div>
<div class="sect2">
<h3 id="_alert_unixsock">alert_unixsock</h3>
<div class="paragraph"><p>What: output event over unix socket</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Usage: context</p></div>
</div>
<div class="sect2">
<h3 id="_log_codecs">log_codecs</h3>
<div class="paragraph"><p>What: log protocols in packet by layer</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>log_codecs.file</strong> = false: output to log_codecs.txt instead of stdout
</p>
</li>
<li>
<p>
bool <strong>log_codecs.msg</strong> = false: include alert msg
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_log_hext">log_hext</h3>
<div class="paragraph"><p>What: output payload suitable for daq hext</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>log_hext.file</strong> = false: output to log_hext.txt instead of stdout
</p>
</li>
<li>
<p>
bool <strong>log_hext.raw</strong> = false: output all full packets if true, else just TCP payload
</p>
</li>
<li>
<p>
int <strong>log_hext.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
</p>
</li>
<li>
<p>
int <strong>log_hext.width</strong> = 20: set line width (0 is unlimited) { 0:max32 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_log_pcap">log_pcap</h3>
<div class="paragraph"><p>What: log packet in pcap format</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
int <strong>log_pcap.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_unified2">unified2</h3>
<div class="paragraph"><p>What: output event and packet in unified2 format file</p></div>
<div class="paragraph"><p>Type: logger</p></div>
<div class="paragraph"><p>Usage: context</p></div>
<div class="paragraph"><p>Configuration:</p></div>
<div class="ulist"><ul>
<li>
<p>
bool <strong>unified2.legacy_events</strong> = false: generate Snort 2.X style events for barnyard2 compatibility
</p>
</li>
<li>
<p>
int <strong>unified2.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
</p>
</li>
<li>
<p>
bool <strong>unified2.nostamp</strong> = true: append file creation time to name (in Unix Epoch format)
</p>
</li>
</ul></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_daq_configuration_and_modules">DAQ Configuration and Modules</h2>
<div class="sectionbody">
<div class="paragraph"><p>The Data AcQuisition library (DAQ), provides pluggable packet I/O.  LibDAQ
replaces direct calls to libraries like libpcap with an abstraction layer
that facilitates operation on a variety of hardware and software interfaces
without requiring changes to Snort.  It is possible to select the DAQ module
and mode when invoking Snort to perform pcap readback or inline operation,
etc.  The DAQ library may be useful for other packet processing
applications and the modular nature allows you to build new modules for
other platforms.</p></div>
<div class="paragraph"><p>The DAQ library exists as a separate repository on the official Snort 3 GitHub
project (<a href="https://github.com/snort3/libdaq">https://github.com/snort3/libdaq</a>) and contains a number of bundled DAQ
modules including AFPacket, Divert, NFQ, PCAP, and Netmap implementations.
Snort 3 itself contains a few new DAQ modules mostly used for testing as
described below.  Additionally, DAQ modules developed by third parties to
facilitate the usage of their own hardware and software platforms exist.</p></div>
<div class="sect2">
<h3 id="_building_the_daq_library_and_its_bundled_daq_modules">Building the DAQ Library and Its Bundled DAQ Modules</h3>
<div class="paragraph"><p>Refer to the READMEs in the LibDAQ source tarball for instructions on how to
build the library and modules as well as details on configuring and using the
bundled DAQ modules.</p></div>
</div>
<div class="sect2">
<h3 id="_configuration_7">Configuration</h3>
<div class="paragraph"><p>As with a number of features in Snort 3, the LibDAQ and DAQ module
configuration may be controlled using either the command line options or by
configuring the <em>daq</em> Snort module in the Lua configuration.</p></div>
<div class="paragraph"><p>DAQ modules may be statically built into Snort, but the more common case is to
use DAQ modules that have been built as dynamically loadable objects.  Because
of this, the first thing to take care of is informing Snort of any locations it
should search for dynamic DAQ modules.  From the command line, this can be done
with one or more invocations of the --daq-dir option, which takes a
colon-separated set of paths to search as its argument.  All arguments will be
collected into a list of locations to be searched. In the Lua configuration, the
<em>daq.module_dirs[]</em> property is a list of paths for the same purpose.</p></div>
<div class="paragraph"><p>Next, one must select which DAQ modules they wish to use by name.  At least one
base module and zero or more wrapper modules may be selected.  This is done
using the --daq options from the command line or the <em>daq.modules[]</em> list-type
property.  To get a list of the available modules, run Snort with the --daq-list
option making sure to specify any DAQ module search directories beforehand.  If
no DAQ module is specified, Snort will default to attempting to find and use a
DAQ module named <em>pcap</em>.</p></div>
<div class="paragraph"><p>Some DAQ modules can be further directly configured using DAQ module variables.
All DAQ module variables come in the form of either just a key or a key and a
value separated by an equals sign.  For example, <em>debug</em> or <em>fanout_type=hash</em>.
The command line option for specifying these is --daq-var and the configuration
file equivalent is the <em>daq.modules[].variables[]</em> property.  The available
variables for each module will be shown when listing the available DAQ modules
with --daq-list.</p></div>
<div class="paragraph"><p>The LibDAQ concept of operational mode (passive, inline, or file readback) is
automatically configured based on inferring the mode from other Snort
configuration.  The presence of -r or --pcap-* options implies <em>read-file</em>, -i
without -Q implies <em>passive</em>, and -i with -Q implies <em>inline</em>.  The mode can be
overridden on a per-DAQ module basis with the --daq-mode option on the command
line or the <em>daq.modules[].mode</em> property.</p></div>
<div class="paragraph"><p>The DAQ module receive timeout is always configured to 1 second.  The packet
capture length (snaplen) defaults to 1518 bytes and can be overridden by the -s
command line option or <em>daq.snaplen</em> property.</p></div>
<div class="paragraph"><p>Finally, and most importantly, is the input specification for the DAQ module.
In readback mode, this is simply the file to be read back and analyzed.  For
live traffic processing, this is the name of the interface or other necessary
input specification as required by the DAQ module to understand what to operate
upon.  From the command line, the -r option is used to specify a file to be
read back and the -i option is used to indicate a live interface input
specification.  Both are covered by the <em>daq.inputs[]</em> property.</p></div>
<div class="paragraph"><p>For advanced use cases, one additional LibDAQ configuration exists: the number
of DAQ messages to request per receive call.  In Snort, this is referred to as
the DAQ "batch size" and defaults to 64.  The default can be overridden with
the --daq-batch-size command line option or <em>daq.batch_size</em> property.  The
message pool size requested from the DAQ module will be four times this batch
size.</p></div>
<div class="sect3">
<h4 id="_command_line_example">Command Line Example</h4>
<div class="literalblock">
<div class="content">
<pre><code>    snort --daq-dir /usr/local/lib/daq --daq-dir /opt/lib/daq --daq afpacket
--daq-var debug --daq-var fanout_type=hash -i eth1:eth2 -Q</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_configuration_file_example">Configuration File Example</h4>
<div class="paragraph"><p>The following is the equivalent of the above command line DAQ configuration in
Lua form:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>daq =
{
    module_dirs =
    {
        '/usr/local/lib/daq',
        '/opt/lib/daq'
    },
    modules =
    {
        {
            name = 'afpacket',
            mode = 'inline',
            variables =
            {
                'debug',
                'fanout_type=hash'
            }
        }
    },
    inputs =
    {
        'eth1:eth2',
    },
    snaplen = 1518
}</code></pre>
</div></div>
<div class="paragraph"><p>The <em>daq.snaplen</em> property was included for completeness and may be omitted if
the default value is acceptable.</p></div>
</div>
<div class="sect3">
<h4 id="_daq_module_configuration_stacks">DAQ Module Configuration Stacks</h4>
<div class="paragraph"><p>Like briefly mentioned above, a DAQ configuration consists of a base DAQ module
and zero or more wrapper DAQ modules.  DAQ wrapper modules provide additional
functionality layered on top of the base module in a decorator pattern.  For
example, the Dump DAQ module will capture all passed or injected packets and
save them to a PCAP savefile.  This can be layered on top of something like the
PCAP DAQ module to assess which packets are making it through Snort without
being dropped and what actions Snort has taken that involved sending new or
modified packets out onto the network (e.g., TCP reset packets and TCP
normalizations).</p></div>
<div class="paragraph"><p>To configure a DAQ module stack from the command line, the --daq option must
be given multiple times with the base module specified first followed by the
wrapper modules in the desired order (building up the stack).  Each --daq
option changes which module is being configured by subsequent --daq-var and
--daq mode options.</p></div>
<div class="paragraph"><p>When configuring the same sort of stack in Lua, everything lives in the
<em>daq.modules[]</em> property.  <em>daq.modules[]</em> is an array of module configurations
pushed onto the stack from top to bottom.  Each module configuration <strong>must</strong>
contain the name of the DAQ module.  Additionally, it may contain an array of
variables (<em>daq.modules[].variables[]</em>) and/or an operational mode
(<em>daq.modules[].mode</em>).</p></div>
<div class="paragraph"><p>If only wrapper modules were specified, Snort will default to implicitly
configuring a base module with the name <em>pcap</em> in <em>read-file</em> mode.  This is a
convenience to mimic the previous behavior when selecting something like the
old Dump DAQ module that may be removed in the future.</p></div>
<div class="paragraph"><p>For any particularly complicated setup, it is recommended that one configure
via a Lua configuration file rather than using the command line options.</p></div>
</div>
</div>
<div class="sect2">
<h3 id="_interaction_with_multiple_packet_threads">Interaction With Multiple Packet Threads</h3>
<div class="paragraph"><p>All packet threads will receive the same DAQ instance configuration with the
potential exception of the input specification.</p></div>
<div class="paragraph"><p>If Snort is in file readback mode, a full set of files will be constructed from
the -r/--pcap-file/--pcap-list/--pcap-dir/--pcap-filter options.  A number of
packet threads will be started up to the configured maximum (-z) to process
these files one at a time.  As a packet thread completes processing of a file,
it will be stopped and then started again with a different file input to
process.  If the number of packet threads configured exceeds the number of
files to process, or as the number of remaining input files dwindles below that
number, Snort will stop spawning new packet threads when it runs out of
unhandled input files.</p></div>
<div class="paragraph"><p>When Snort is operating on live interfaces (-i), all packet threads up to the
configured maximum will always be started.  By default, if only one input
specification is given, all packet threads will receive the same input in their
configuration.  If multiple inputs are given, each thread will be given the
matching input (ordinally), falling back to the first if the number of packet
threads exceeds the number of inputs.</p></div>
</div>
<div class="sect2">
<h3 id="_daq_modules_included_with_snort_3">DAQ Modules Included With Snort 3</h3>
<div class="sect3">
<h4 id="_socket_module">Socket Module</h4>
<div class="paragraph"><p>The socket module provides provides a stream socket server that will accept
up to 2 simultaneous connections and bridge them together while also
passing data to Snort for inspection.  The first connection accepted is
considered the client and the second connection accepted is considered the
server.  If there is only one connection, stream data can&#8217;t be forwarded
but it is still inspected.</p></div>
<div class="paragraph"><p>Each read from a socket of up to snaplen bytes is passed as a packet to
Snort along with the ability to retrieve a DAQ_UsrHdr_t structure via ioctl.
DAQ_UsrHdr_t conveys IP4 address, ports, protocol, and direction.  Socket
packets can be configured to be TCP or UDP.  The socket DAQ can be operated
in inline mode and is able to block packets.</p></div>
<div class="paragraph"><p>Packets from the socket DAQ module are handled by Snort&#8217;s stream_user module,
which must be configured in the Snort configuration.</p></div>
<div class="paragraph"><p>To use the socket DAQ, start Snort like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>./snort --daq-dir /path/to/lib/snort_extra/daq \
    --daq socket [--daq-var port=&lt;port&gt;] [--daq-var proto=&lt;proto&gt;] [-Q]</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>&lt;port&gt; ::= 1..65535; default is 8000
&lt;proto&gt; ::= tcp | udp</code></pre>
</div></div>
<div class="ulist"><ul>
<li>
<p>
This module only supports ip4 traffic.
</p>
</li>
<li>
<p>
This module is only supported by Snort 3.  It is not compatible with
  Snort 2.
</p>
</li>
<li>
<p>
This module is primarily for development and test.
</p>
</li>
</ul></div>
</div>
<div class="sect3">
<h4 id="_file_module">File Module</h4>
<div class="paragraph"><p>The file module provides the ability to process files directly without having
to extract them from pcaps.  Use the file module with Snort&#8217;s stream_file to
get file type identification and signature services.  The usual IPS detection
and logging, etc. is also available.</p></div>
<div class="paragraph"><p>You can process all the files in a directory recursively using 8 threads
with these Snort options:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>--pcap-dir path -z 8</code></pre>
</div></div>
<div class="ulist"><ul>
<li>
<p>
This module is only supported by Snort 3.  It is not compatible with
  Snort 2.
</p>
</li>
<li>
<p>
This module is primarily for development and test.
</p>
</li>
</ul></div>
</div>
<div class="sect3">
<h4 id="_hext_module">Hext Module</h4>
<div class="paragraph"><p>The hext module generates packets suitable for processing by Snort from
hex/plain text.  Raw packets include full headers and are processed
normally.  Otherwise the packets contain only payload and are accompanied
with flow information (4-tuple) suitable for processing by stream_user.</p></div>
<div class="paragraph"><p>The first character of the line determines it&#8217;s purpose:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>'$' command
'#' comment
'"' quoted string packet data
'x' hex packet data
' ' empty line separates packets</code></pre>
</div></div>
<div class="paragraph"><p>The available commands are:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>$client &lt;ip4&gt; &lt;port&gt;
$server &lt;ip4&gt; &lt;port&gt;</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>$packet -&gt; client
$packet -&gt; server</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>$packet &lt;addr&gt; &lt;port&gt; -&gt; &lt;addr&gt; &lt;port&gt;</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>$sof &lt;i32:ingressZone&gt; &lt;i32:egressZone&gt; &lt;i32:ingressIntf&gt; &lt;i32:egressIntf&gt; &lt;s:srcIp&gt; &lt;i16:srcPort&gt; &lt;s:destIp&gt; &lt;i16:dstPort&gt; &lt;u32:opaque&gt; &lt;u64:initiatorPkts&gt; &lt;u64:responderPkts&gt; &lt;u64:initiatorPktsDropped&gt; &lt;u64:responderPktsDropped&gt; &lt;u64:initiatorBytesDropped&gt; &lt;u64:responderBytesDropped&gt; &lt;u8:isQosAppliedOnSrcIntf&gt; &lt;timeval:sof_timestamp&gt; &lt;timeval:eof_timestamp&gt; &lt;u16:vlan&gt; &lt;u16:address_space_id&gt; &lt;u8:protocol&gt;
$eof &lt;i32:ingressZone&gt; &lt;i32:egressZone&gt; &lt;i32:ingressIntf&gt; &lt;i32:egressIntf&gt; &lt;s:srcIp&gt; &lt;i16:srcPort&gt; &lt;s:destIp&gt; &lt;i16:dstPort&gt; &lt;u32:opaque&gt; &lt;u64:initiatorPkts&gt; &lt;u64:responderPkts&gt; &lt;u64:initiatorPktsDropped&gt; &lt;u64:responderPktsDropped&gt; &lt;u64:initiatorBytesDropped&gt; &lt;u64:responderBytesDropped&gt; &lt;u8:isQosAppliedOnSrcIntf&gt; &lt;timeval:sof_timestamp&gt; &lt;timeval:eof_timestamp&gt; &lt;u16:vlan&gt; &lt;u16:address_space_id&gt; &lt;u8:protocol&gt;</code></pre>
</div></div>
<div class="paragraph"><p>Client and server are determined as follows.  $packet &#8594; client indicates
to the client (from server) and $packet &#8594; server indicates a packet to the
server (from client).  $packet followed by a 4-tuple uses the heuristic
that the client is the side with the greater port number.</p></div>
<div class="paragraph"><p>The default client and server are 192.168.1.1 12345 and 10.1.2.3 80
respectively.  $packet commands with a 4-tuple do not change client and
server set with the other $packet commands.</p></div>
<div class="paragraph"><p>$packet commands should be followed by packet data, which may contain any
combination of hex and strings.  Data for a packet ends with the next
command or a blank line.  Data after a blank line will start another packet
with the same tuple as the prior one.</p></div>
<div class="paragraph"><p>$sof and $eof commands generate Start of Flow and End of Flow metapackets
respectively. They are followed by a definition of a Flow_Stats_t data structure
which will be fed into Snort via the metadata callback.</p></div>
<div class="paragraph"><p>Strings may contain the following escape sequences:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>\r = 0x0D = carriage return
\n = 0x0A = new line
\t = 0x09 = tab
\\ = 0x5C = \</code></pre>
</div></div>
<div class="paragraph"><p>Format your input carefully; there is minimal error checking and little
tolerance for arbitrary whitespace.  You can use Snort&#8217;s -L hext option to
generate hext input from a pcap.</p></div>
<div class="ulist"><ul>
<li>
<p>
This module only supports ip4 traffic.
</p>
</li>
<li>
<p>
This module is only supported by Snort 3.  It is not compatible with
  Snort 2.
</p>
</li>
<li>
<p>
This module is primarily for development and test.
</p>
</li>
</ul></div>
<div class="paragraph"><p>The hext DAQ also supports a raw mode which is activated by setting the
data link type.  For example, you can input full ethernet packets with
--daq-var dlt=1 (Data link types are defined in the DAQ include
sfbpf_dlt.h.)  Combine that with the hext logger in raw mode for a quick
(and dirty) way to edit pcaps.  With --lua "log_hext = { raw = true }", the
hext logger will dump the full packet in a way that can be read by the hext
DAQ in raw mode.  Here is an example:</p></div>
<div class="literalblock">
<div class="content">
<pre><code># 3 [96]</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>x02 09 08 07 06 05 02 01 02 03 04 05 08 00 45 00 00 52 00 03  # ..............E..R..
x00 00 40 06 5C 90 0A 01 02 03 0A 09 08 07 BD EC 00 50 00 00  # ..@.\............P..
x00 02 00 00 00 02 50 10 20 00 8A E1 00 00 47 45 54 20 2F 74  # ......P.  .....GET /t
x72 69 67 67 65 72 2F 31 20 48 54 54 50 2F 31 2E 31 0D 0A 48  # rigger/1 HTTP/1.1..H
x6F 73 74 3A 20 6C 6F 63 61 6C 68 6F 73 74 0D 0A              # ost: localhost..</code></pre>
</div></div>
<div class="paragraph"><p>A comment indicating packet number and size precedes each packet dump.
Note that the commands are not applicable in raw mode and have no effect.</p></div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_snort_3_vs_snort_2">Snort 3 vs Snort 2</h2>
<div class="sectionbody">
<div class="paragraph"><p>Snort 3 differs from Snort 2 in the following ways:</p></div>
<div class="ulist"><ul>
<li>
<p>
command line and conf file syntax made more uniform
</p>
</li>
<li>
<p>
removed unused and deprecated features
</p>
</li>
<li>
<p>
remove as many barriers to successful run as possible
  (e.g.: no upper bounds on memcaps)
</p>
</li>
<li>
<p>
assume the simplest mode of operation
  (e.g.: never assume input from or output to some hardcoded filename)
</p>
</li>
<li>
<p>
all Snort 2 config options are grouped into Snort 3 modules
</p>
</li>
</ul></div>
<div class="sect2">
<h3 id="_features_new_to_snort_3">Features New to Snort 3</h3>
<div class="paragraph"><p>Some things Snort++ can do today that Snort can not do:</p></div>
<div class="ulist"><ul>
<li>
<p>
regex fast patterns, not just literals
</p>
</li>
<li>
<p>
FlatBuffers and JSON perf monitor logs
</p>
</li>
<li>
<p>
LuaJIT scriptable rule options and loggers
</p>
</li>
<li>
<p>
pub/sub inspection events (currently used by sip and http_inspect to appid)
</p>
</li>
<li>
<p>
JIT buffer stuffers (notably with new http_inspect)
</p>
</li>
<li>
<p>
C-style comments in rules
</p>
</li>
<li>
<p>
#begin &#8230; #end comment blocks in rules
</p>
</li>
<li>
<p>
rule remarks (comment is part of rule, not just in it)
</p>
</li>
<li>
<p>
process raw files (eg read a PDF and do file processing)
</p>
</li>
<li>
<p>
process raw payload (eg bridge 2 sockets and do inspection)
</p>
</li>
<li>
<p>
fast pattern offload to separate thread (experimental)
</p>
</li>
<li>
<p>
track all memory allocated
</p>
</li>
<li>
<p>
add or override any config item on command line
</p>
</li>
<li>
<p>
set CPU affinity
</p>
</li>
<li>
<p>
pause and resume commands
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_features_improved_over_snort_2">Features Improved over Snort 2</h3>
<div class="paragraph"><p>Some things Snort++ can do today that Snort can not do as well:</p></div>
<div class="ulist"><ul>
<li>
<p>
Hyperscan search engine plugin
  (Intel provides patch for Snort 2)
</p>
</li>
<li>
<p>
fast pattern sensitive data
  (Snort 2 requires a slow, extra search)
</p>
</li>
<li>
<p>
multiple packet threads with one config
  (Snort 2 requires multiple processes)
</p>
</li>
<li>
<p>
wizard automatically detects service for first flow
  (Snort 2 appid detects for next flow)
</p>
</li>
<li>
<p>
nested policy binding
  (Snort 2 has just one level)
</p>
</li>
<li>
<p>
decode arbitrary layers
  (Snort 2 supports only 2 IP layers)
</p>
</li>
<li>
<p>
process PDU buffers
  (Snort 2 only processes packets)
</p>
</li>
<li>
<p>
fully stateful http_inspect with 97 builtin alerts
  (Snort 2 is only partly stateful with 33 builtin alerts)
</p>
</li>
<li>
<p>
output all semantic errors before quitting
  (Snort 2 stops at first one)
</p>
</li>
<li>
<p>
alert file rules
  (Snort 2 must use multiple rules)
</p>
</li>
<li>
<p>
alert service rules, eg alert http
  (Snort 2 must use metadata:service)
</p>
</li>
<li>
<p>
automatic fast_pattern only
  (Snort 2 requires explicit fast_pattern:only)
</p>
</li>
<li>
<p>
elided rule headers omit nets and/or ports
  (Snort 2 requires explicit <em>any</em>)
</p>
</li>
<li>
<p>
dump builtin rule stubs
  (Snort 2 can only dump SO stubs)
</p>
</li>
<li>
<p>
rule sticky buffers
  (Snort 2 buffers must be repeated)
</p>
</li>
<li>
<p>
http_header:name supported to restrict to single field
  (Snort 2 searches all headers)
</p>
</li>
<li>
<p>
fully equivalent SO rules
  (Snort 2 has some limitations with SO processing)
</p>
</li>
<li>
<p>
text-based SO rule implementation
  (Snort 2 requires tedious, nested C structs)
</p>
</li>
<li>
<p>
extensible module-based tracing
  (Snort 2 has a fixed set of flags)
</p>
</li>
<li>
<p>
over 200 plugins, no need to change core source code
  (Snort 2 only supports preprocessors and outputs)
</p>
</li>
<li>
<p>
use consistent conf syntax
  (Snort 2 defines lists different ways in different places, etc.)
</p>
</li>
<li>
<p>
use consistent rule syntax
  (Snort 2 has semicolon separated suboptions, etc.)
</p>
</li>
<li>
<p>
arbitrary whitespace and comments in conf and rules
  (Snort 2 requires newline escapes)
</p>
</li>
<li>
<p>
properly parse rules
  (Snort 2 can actually completely ignore stuff)
</p>
</li>
<li>
<p>
optional, expanded warnings output, can be fatal
  (Snort 2 warnings limited and are not optional or fatal)
</p>
</li>
<li>
<p>
define and use arbitrary variables and functions in config with Lua
  (Snort 2 has variables just for rule headers)
</p>
</li>
<li>
<p>
text-based command line shell
  (Snort 2 has binary control socket)
</p>
</li>
<li>
<p>
generate text and HTML user guide in addition to PDF
  (Snort 2 just has PDF and Talos provides HTML)
</p>
</li>
<li>
<p>
generate developer&#8217;s guide
  (Snort 2&#8217;s is manually written)
</p>
</li>
<li>
<p>
extensive command line help, eg every config item, rule option, and peg count
  (Snort 2 only has command line args)
</p>
</li>
<li>
<p>
cmake builds
  (Snort 2 only does automake)
</p>
</li>
<li>
<p>
read rules from separate file or stdin
  (Snort 2 requires rules directly in or included in conf)
</p>
</li>
<li>
<p>
simple, clean, uniform startup and shutdown output
  (Snort 2 is heavy and inconsistent)
</p>
</li>
<li>
<p>
port_scan is fully configurable
  (Snort 2 hard codes most of the configuration)
</p>
</li>
<li>
<p>
port_scan can block scans
  (Snort 2 can only detect scans)
</p>
</li>
<li>
<p>
sigquit will cause a --dirty-pig style exit
  (Snort 2 handles sigquit the same as sigterm and sigint)
</p>
</li>
<li>
<p>
detection trace
  (Snort 2 has more limited buffer dumping)
</p>
</li>
<li>
<p>
updated unified2 events with MPLS, VLAN, and IP6
  (Snort 2 requires configuration and extra data)
</p>
</li>
<li>
<p>
significantly more unit tests, including --catch and make check
  (Snort 2 has very few unit tests)
</p>
</li>
<li>
<p>
better modularity 346K/1534 = 226 lines/file, max=2700
  (Snort 2 has 440K/1021 = 431 lines/file, max=13K)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_build_options">Build Options</h3>
<div class="ulist"><ul>
<li>
<p>
configure --with-lib{pcap,pcre}-* &#8594; --with-{pcap,pcre}-*
</p>
</li>
<li>
<p>
control socket, cs_dir, and users were deleted
</p>
</li>
<li>
<p>
POLICY_BY_ID_ONLY code was deleted
</p>
</li>
<li>
<p>
hardened --enable-inline-init-failopen / INLINE_FAILOPEN
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_command_line_2">Command Line</h3>
<div class="ulist"><ul>
<li>
<p>
--pause loads config and waits for resume before processing packets
</p>
</li>
<li>
<p>
--require-rule-sid is hardened
</p>
</li>
<li>
<p>
--shell enables interactive Lua shell
</p>
</li>
<li>
<p>
-T is assumed if no input given
</p>
</li>
<li>
<p>
added --help-config prefix to dump all matching settings
</p>
</li>
<li>
<p>
added --script-path
</p>
</li>
<li>
<p>
added -L none|dump|pcap
</p>
</li>
<li>
<p>
added -z &lt;#&gt; and --max-packet-threads &lt;#&gt;
</p>
</li>
<li>
<p>
delete --enable-mpls-multicast, --enable-mpls-overlapping-ip,
  --max-mpls-labelchain-len, --mpls-payload-type
</p>
</li>
<li>
<p>
deleted --pid-path and --no-interface-pidfile
</p>
</li>
<li>
<p>
deleting command line options which will be available with --lua or some such including:
  -I, -h, -F, -p, --disable-inline-init-failopen
</p>
</li>
<li>
<p>
hardened -n &lt; 0
</p>
</li>
<li>
<p>
removed --search-method
</p>
</li>
<li>
<p>
replaced "unknown args are bpf" with --bpf
</p>
</li>
<li>
<p>
replaced --dynamic-*-lib[-dir] with --plugin-path (with : separators)
</p>
</li>
<li>
<p>
removed -b, -N, -Z and, --perfmon-file options
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_conf_file">Conf File</h3>
<div class="ulist"><ul>
<li>
<p>
Snort 3 has a default unicode.map
</p>
</li>
<li>
<p>
Snort 3 will not enforce an upper bound on memcaps and the like within 64 bits
</p>
</li>
<li>
<p>
Snort 3 will supply a default *_global config if not specified
  (Snort 2 would fatal; e.g. http_inspect_server w/o http_inspect_global)
</p>
</li>
<li>
<p>
address list syntax changes: [[ and ]] must be [ [ and ] ] to avoid Lua string
  parsing errors (unless in quoted string)
</p>
</li>
<li>
<p>
because the Lua conf is live code, we lose file:line locations in app error messages
  (syntax errors from Lua have file:line)
</p>
</li>
<li>
<p>
changed search-method names for consistency
</p>
</li>
<li>
<p>
delete config include_vlan_in_alerts (not used in code)
</p>
</li>
<li>
<p>
delete config so_rule_memcap (not used in code)
</p>
</li>
<li>
<p>
deleted --disable-attribute-table-reload-thread
</p>
</li>
<li>
<p>
deleted config decode_*_{alerts,drops} (use rules only)
</p>
</li>
<li>
<p>
deleted config dump-dynamic-rules-path
</p>
</li>
<li>
<p>
deleted config ipv6_frag (not actually used)
</p>
</li>
<li>
<p>
deleted config threshold and ips rule threshold (&#8594; event_filter)
</p>
</li>
<li>
<p>
eliminated ac-split; must use ac-full-q split-any-any
</p>
</li>
<li>
<p>
frag3 &#8594; defrag, arpspoof &#8594; arp_spoof, sfportscan &#8594; port_scan,
  perfmonitor &#8594; perf_monitor, bo &#8594; back_orifice
</p>
</li>
<li>
<p>
limits like "1234K" are now "limit = 1234, units = <em>K</em>"
</p>
</li>
<li>
<p>
lua field names are (lower) case sensitive; snort.conf largely wasn&#8217;t
</p>
</li>
<li>
<p>
module filenames are not configurable: always &lt;log-dir&gt;/&lt;module-name&gt;&lt;suffix&gt;
  (suffix is determined by module)
</p>
</li>
<li>
<p>
no positional parameters; all name = value
</p>
</li>
<li>
<p>
perf_monitor configuration was simplified
</p>
</li>
<li>
<p>
portscan.detect_ack_scans deleted (exact same as include_midstream)
</p>
</li>
<li>
<p>
removed various run modes - now just one
</p>
</li>
<li>
<p>
frag3 default policy is Linux not bsd
</p>
</li>
<li>
<p>
lowmem* search methods are now in snort_examples
</p>
</li>
<li>
<p>
deleted unused http_inspect stateful mode
</p>
</li>
<li>
<p>
deleted stateless inspection from ftp and telnet
</p>
</li>
<li>
<p>
deleted http and ftp alert options (now strictly rule based)
</p>
</li>
<li>
<p>
preprocessor disabled settings deleted since no longer relevant
</p>
</li>
<li>
<p>
sessions are always created; snort config stateful checks eliminated
</p>
</li>
<li>
<p>
stream5_tcp: prune_log_max deleted; to be replaced with histogram
</p>
</li>
<li>
<p>
stream5_tcp: max_active_responses, min_response_seconds moved to
  active.max_responses, min_interval
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_rules_3">Rules</h3>
<div class="ulist"><ul>
<li>
<p>
all rules must have a sid
</p>
</li>
<li>
<p>
sid == 0 not allowed
</p>
</li>
<li>
<p>
deleted activate / dynamic rules
</p>
</li>
<li>
<p>
deleted unused rule_state.action
</p>
</li>
<li>
<p>
deleted metadata engine shared
</p>
</li>
<li>
<p>
deleted metadata: rule-flushing (with PDU flushing rule flushing can cause
  missed attacks, the opposite of its intent)
</p>
</li>
<li>
<p>
changed metadata:service one[, service two]; to service:one[, two];
</p>
</li>
<li>
<p>
soid is now a non-metadata option
</p>
</li>
<li>
<p>
metadata is now truly metadata with no impact on detection
  (Snort doesn&#8217;t care about metadata internal structure / syntax)
</p>
</li>
<li>
<p>
deleted fast_pattern:only; use fast_pattern, nocase
  (option is not added to detection tree if not required)
</p>
</li>
<li>
<p>
changed fast_pattern:&lt;offset&gt;,&lt;length&gt; to
  fast_pattern,fast_pattern_offset &lt;offset&gt;,fast_pattern_length &lt;length&gt;
</p>
</li>
<li>
<p>
fast pattern sensitive data with sd_pattern using hyperscan
</p>
</li>
<li>
<p>
hyperscan regex fast patterns with regex:"&lt;regex&gt;", fast_pattern;
</p>
</li>
<li>
<p>
no ; separated content suboptions
</p>
</li>
<li>
<p>
offset, depth, distance, and within must use a space separator not colon
  (e.g. offset:5; becomes offset 5;)
</p>
</li>
<li>
<p>
content suboptions http_* are now full options
</p>
</li>
<li>
<p>
added sticky buffers: buffer selector options must precede contents and remain
  in effect until changed
</p>
</li>
<li>
<p>
the following pcre options have been deleted: use sticky buffers instead
    B, U, P, H, M, C, I, D, K, S, Y
</p>
</li>
<li>
<p>
deleted uricontent option; use sticky buffer
  uricontent:"foo" -&#8594;  http_uri; content:"foo"
</p>
</li>
<li>
<p>
deleted urilen raw and norm; must use http_raw_uri and http_uri instead
</p>
</li>
<li>
<p>
deleted unused http_encode option
</p>
</li>
<li>
<p>
urilen replaced with generic bufferlen which applies to current sticky
  buffer
</p>
</li>
<li>
<p>
added optional selector to http_header, e.g. http_header:User-Agent;
</p>
</li>
<li>
<p>
the all new http_inspect has new buffers and rule options
</p>
</li>
<li>
<p>
added alert file and alert service rules
  (service in body not required if there is only one and it is in header;
  alert service / file rules disable fast pattern searching of raw packets)
</p>
</li>
<li>
<p>
rule option sequence: &lt;stub&gt; soid &lt;hidden&gt;
</p>
</li>
<li>
<p>
arbitrary whitespace and multiline rules w/o \n
</p>
</li>
<li>
<p>
#begin &#8230; #end comments to easily comment out multiple lines
</p>
</li>
<li>
<p>
add rule remarks option with rem:"arbitrary comment"
</p>
</li>
<li>
<p>
nets and/or ports may be omitted from rule headers (matches any)
</p>
</li>
<li>
<p>
parse all rules and output all errors before quitting
</p>
</li>
<li>
<p>
read rules from conf, separate rules file, or stdin
</p>
</li>
<li>
<p>
The symbol =&lt; in a byte test is recognized as a syntax error. The correct
  symbol is &lt;=.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_output_3">Output</h3>
<div class="ulist"><ul>
<li>
<p>
alert_fast includes packet data by default
</p>
</li>
<li>
<p>
all text mode outputs default to stdout
</p>
</li>
<li>
<p>
changed default logging mode to -L none
</p>
</li>
<li>
<p>
deleted layer2resets and flexresp2_*
</p>
</li>
<li>
<p>
deleted log_ascii
</p>
</li>
<li>
<p>
general output guideline: don&#8217;t print zero counts
</p>
</li>
<li>
<p>
Snort 3 queues decoder and inspector events to the main event queue before ips policy
  is selected; since some events may not be enabled, the queue needs to be sized larger
  than with Snort 2 which used an intermediate queue for decoder events.
</p>
</li>
<li>
<p>
deleted the intermediate http and ftp_telnet event queues
</p>
</li>
<li>
<p>
alert_unified2 and log_unified2 have been deleted
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_sensitive_data">Sensitive Data</h3>
<div class="paragraph"><p>The Snort 2.X SDF Preprocessor is gone, replaced by ips option <code>sd_pattern</code>.
The sd_pattern rule option is synonymous with the sd_pattern option used
for gid:138 rules, but has a different syntax. A major difference in syntax
is the use of Hyperscan pattern matching library which provides a regex
language similar to PCRE.</p></div>
<div class="paragraph"><p>To facilitate continued performance, sd_pattern rule option is implemented
with Hyperscan pattern matching library. The rule option is now also utilized
as a "fast pattern" in the Snort engine which provides a significant performance
improvement over the separate detection step of earlier implementations.</p></div>
<div class="paragraph"><p>The preprocessor alert SDF_COMBO_ALERT (139:1) has been removed and has no
replacement in Snort 3.X. This is because the rule offered no additional
value over gid:138 rules and was difficult to interpret the result of.</p></div>
<div class="paragraph"><p>For more information, See Features &gt; Sensitive Data Filtering for details.</p></div>
</div>
<div class="sect2">
<h3 id="_features_not_yet_supported_by_snort_3">Features Not Yet Supported by Snort 3</h3>
<div class="ulist"><ul>
<li>
<p>
Support in http_inspect for Original Client IP is limited to the
  X-Forwarded-For and True-Client-IP headers in that order. It is not
  possible to configure additional custom headers to search for Original
  Client IP.
</p>
</li>
<li>
<p>
The -n option does not work properly when perf_monitor is configured. The
  number of packets processed from the pcap is likely to be more than the
  number specified with the -n option.
</p>
</li>
<li>
<p>
When a file is transferred via SMB2 it may be allowed even though
  according to file policy it should be blocked. This occurs when the
  create and read requests are sent together and then the read and create
  responses are sent together. Blocking is done correctly if the create and
  read requests are sent separately or if the file is large enough to
  require two read responses.
</p>
</li>
<li>
<p>
This user manual is incomplete and does not fully cover many Snort 2.X
  features that are also supported by Snort 3.
</p>
</li>
</ul></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_snort2lua">Snort2Lua</h2>
<div class="sectionbody">
<div class="paragraph"><p>One of the major differences between Snort 2 and Snort 3 is the
configuration. Snort 2 configuration files are written in Snort-specific
syntax while Snort 3 configuration files are written in Lua. Snort2Lua is a
program specifically designed to convert valid Snort 2 configuration files
into Lua files that Snort 3 can understand.</p></div>
<div class="paragraph"><p>Snort2Lua reads your legacy Snort conf file(s) and generates Snort 3 Lua
and rules files. When running this program, the only mandatory option is to
provide Snort2Lua with a Snort 2 configuration file. The default output
file file is snort.lua, the default error file will be snort.rej, and the
default rule file is the output file (default is snort.lua).  When
Snort2Lua finishes running, the resulting configuration file can be
successfully run as the Snort3.0 configuration file.  The sole exception to
this rule is when Snort2Lua cannot find an included file.  If that occurs,
the file will still be included in the output file and you will need to
manually adjust or comment the file name. Additionally, if the exit code is
not zero, some of the information may not be successfully converted.  Check
the error file for all of the conversion problems.</p></div>
<div class="paragraph"><p>Those errors can occur for a multitude of reasons and are not necessarily
bad. Snort2Lua expects a valid Snort 2 configuration.  Therefore, if the
configuration is invalid or has questionable syntax, Snort2Lua may fail to
parse the configuration file or create an invalid Snort 3 configuration
file.</p></div>
<div class="paragraph"><p>There are a also few peculiarities of Snort2Lua that may be confusing to a
first time user:</p></div>
<div class="ulist"><ul>
<li>
<p>
Aside from an initial configuration file (which is specified from the
  command line or as the file in ‘config binding’), every file that is
  included into Snort 3 must be either a Lua file or a rule file; the file
  cannot contain both rules and Lua syntax.  Therefore, when parsing a file
  specified with the ‘include’ command, Snort2Lua will output both a Lua
  file and a rule file.
</p>
</li>
<li>
<p>
Any line that is a comment in a configuration file will be added in to a
  comments section at the bottom of the main configuration file.
</p>
</li>
<li>
<p>
Rules that contain unsupported options will be converted to the best of
  Snort2Lua’s capability and then printed as a comment in the rule file.
</p>
</li>
<li>
<p>
Files with a <em>.rules</em> suffix are assumed to be Talos 2.X rules files and
  converted line-by-line.  In this case, lines starting with <em>alert</em> are
  converted as usual but lines starting with <em># alert</em> are
  assumed to be commented out rules which are converted to 3.0 format and
  remain comments in the output file.  All other comments are passed
  through directly.  There is no support for other commented rule actions
  since these do not appear in Talos rules files.
</p>
</li>
</ul></div>
<div class="sect2">
<h3 id="_snort2lua_command_line">Snort2Lua Command Line</h3>
<div class="paragraph"><p>By default, Snort2Lua will attempt to parse every ‘include’ file and every
‘binding’ file.  There is an option to change this functionality.</p></div>
<div class="paragraph"><p>When specifying a rule file with one of the command line options, Snort2Lua
will output all of the converted rules to that specified rule file.  This
is especially useful when you are only interesting in converting rules
since there is no Lua syntax in rule files.  There is also an option that
tells Snort2Lua to output every rule for a given configuration into a
single rule file.  Similarly, there is an option pull all of the Lua syntax
from every ‘include’ file into the output file.</p></div>
<div class="paragraph"><p>There are currently three output modes: default, quiet, and differences.
As expected, quiet mode produces a Snort configuration.  All errors (aside
from Fatal Snort2Lua errors), differences, and comments will omitted from
the final output file.  Default mode will print everything. That mean you
will be able to see exactly what changes have occurred between Snort 2 and
Snort 3 in addition to the new syntax, the original file&#8217;s comments, and
all errors that have occurred.  Finally, differences mode will not actually
output a valid Snort 3 configuration.  Instead, you can see the exact
options from the input configuration that have changed.</p></div>
<div class="sect3">
<h4 id="_usage_snort2lua_options_8230_c_lt_snort_conf_gt_8230">Usage: snort2lua [OPTIONS]&#8230; -c &lt;snort_conf&gt; &#8230;</h4>
<div class="paragraph"><p>Converts the Snort configuration file specified by the -c or --conf-file
options into a Snort++ configuration file</p></div>
<div class="sect4">
<h5 id="_options">Options:</h5>
<div class="ulist"><ul>
<li>
<p>
<strong>-?</strong>                show usage
</p>
</li>
<li>
<p>
<strong>-h</strong>                this overview of snort2lua
</p>
</li>
<li>
<p>
<strong>-a</strong>                default option.  print all data
</p>
</li>
<li>
<p>
<strong>-c &lt;snort_conf&gt;</strong>   The Snort &lt;snort_conf&gt; file to convert
</p>
</li>
<li>
<p>
<strong>-d</strong>                print the differences, and only the differences, between the
                    Snort and Snort++ configurations to the &lt;out_file&gt;
</p>
</li>
<li>
<p>
<strong>-e &lt;error_file&gt;</strong>   output all errors to &lt;error_file&gt;
</p>
</li>
<li>
<p>
<strong>-i</strong>                if &lt;snort_conf&gt; file contains any &lt;include_file&gt; or
                    &lt;policy_file&gt; (i.e. <em>include path/to/conf/other_conf</em>), do
                    NOT parse those files
</p>
</li>
<li>
<p>
<strong>-m</strong>                add a remark to the end of every converted rule
</p>
</li>
<li>
<p>
<strong>-o &lt;out_file&gt;</strong>     output the new Snort++ lua configuration to &lt;out_file&gt;
</p>
</li>
<li>
<p>
<strong>-q</strong>                quiet mode. Only output valid configuration information to
                    the &lt;out_file&gt;
</p>
</li>
<li>
<p>
<strong>-r &lt;rule_file&gt;</strong>    output any converted rule to &lt;rule_file&gt;
</p>
</li>
<li>
<p>
<strong>-s</strong>                when parsing &lt;include_file&gt;, write &lt;include_file&gt;'s rules to
                    &lt;rule_file&gt;. Meaningless if <em>-i</em> provided
</p>
</li>
<li>
<p>
<strong>-t</strong>                when parsing &lt;include_file&gt;, write &lt;include_file&gt;'s
                    information, excluding rules, to &lt;out_file&gt;. Meaningless if
                    <em>-i</em> provided
</p>
</li>
<li>
<p>
<strong>-V</strong>                Print the current Snort2Lua version
</p>
</li>
<li>
<p>
<strong>--bind-wizard</strong>     Add default wizard to bindings
</p>
</li>
<li>
<p>
<strong>--conf-file</strong>       Same as <em>-c</em>. A Snort &lt;snort_conf&gt; file which will be
                    converted
</p>
</li>
<li>
<p>
<strong>--dont-parse-includes</strong>
                    Same as <em>-p</em>. if &lt;snort_conf&gt; file contains any
                    &lt;include_file&gt; or &lt;policy_file&gt; (i.e. <em>include
                    path/to/conf/other_conf</em>), do NOT parse those files
</p>
</li>
<li>
<p>
<strong>--dont-convert-max-sessions</strong>
                    do not convert max_tcp, max_udp, max_icmp, max_ip to
                    max_session
</p>
</li>
<li>
<p>
<strong>--error-file=&lt;error_file&gt;</strong>
                    Same as <em>-e</em>. output all errors to &lt;error_file&gt;
</p>
</li>
<li>
<p>
<strong>--help</strong>            Same as <em>-h</em>. this overview of snort2lua
</p>
</li>
<li>
<p>
<strong>--ips-policy-pattern</strong>  Convert config bindings matching this path to ips policy
                    bindings
</p>
</li>
<li>
<p>
<strong>--markup</strong>          print help in asciidoc compatible format
</p>
</li>
<li>
<p>
<strong>--output-file=&lt;out_file&gt;</strong>
                    Same as <em>-o</em>. output the new Snort++ lua configuration to
                    &lt;out_file&gt;
</p>
</li>
<li>
<p>
<strong>--print-all</strong>       Same as <em>-a</em>. default option.  print all data
</p>
</li>
<li>
<p>
<strong>--print-differences</strong>  Same as <em>-d</em>. output the differences, and only the
                    differences, between the Snort and Snort++ configurations to
                    the &lt;out_file&gt;
</p>
</li>
<li>
<p>
<strong>--quiet</strong>           Same as <em>-q</em>. quiet mode. Only output valid configuration
                    information to the &lt;out_file&gt;
</p>
</li>
<li>
<p>
<strong>--remark</strong>          same as <em>-m</em>.  add a remark to the end of every converted
                    rule
</p>
</li>
<li>
<p>
<strong>--rule-file=&lt;rule_file&gt;</strong>
                    Same as <em>-r</em>. output any converted rule to &lt;rule_file&gt;
</p>
</li>
<li>
<p>
<strong>--single-conf-file</strong>  Same as <em>-t</em>. when parsing &lt;include_file&gt;, write
                    &lt;include_file&gt;'s information, excluding rules, to
                    &lt;out_file&gt;
</p>
</li>
<li>
<p>
<strong>--single-rule-file</strong>  Same as <em>-s</em>. when parsing &lt;include_file&gt;, write
                    &lt;include_file&gt;'s rules to &lt;rule_file&gt;.
</p>
</li>
<li>
<p>
<strong>--version</strong>         Same as <em>-V</em>. Print the current Snort2Lua version
</p>
</li>
</ul></div>
</div>
<div class="sect4">
<h5 id="_required_option">Required option:</h5>
<div class="ulist"><ul>
<li>
<p>
A Snort configuration file to convert. Set with either <em>-c</em> or <em>--conf-file</em>
</p>
</li>
</ul></div>
</div>
<div class="sect4">
<h5 id="_default_values">Default values:</h5>
<div class="ulist"><ul>
<li>
<p>
&lt;out_file&gt;   =  snort.lua
</p>
</li>
<li>
<p>
&lt;rule_file&gt;  =  &lt;out_file&gt; = snort.lua.  Rules are written to the <em>local_rules</em> variable in the &lt;out_file&gt;
</p>
</li>
<li>
<p>
&lt;error_file&gt; =  snort.rej.  This file will not be created in quiet mode.
</p>
</li>
</ul></div>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_known_problems">Known Problems</h3>
<div class="ulist"><ul>
<li>
<p>
Any Snort 2 ‘string’ which is dependent on a variable will no longer
   have that variable in the Lua string.
</p>
</li>
<li>
<p>
Snort2Lua currently does not handle variables well. First, that means
   variables will not always be parsed correctly.  Second, sometimes a
   variables value will be output in the lua file rather than a variable
   For instance, if Snort2Lua attempted to convert the line <em>include
   $RULE_PATH/example.rule</em>, the output may output <em>include
   /etc/rules/example.rule</em> instead.
</p>
</li>
<li>
<p>
When Snort2Lua parses a ‘binding’ configuration file, the rules and
   configuration will automatically be combined into the same file.  Also,
   the new files name will automatically become the old file’s name with a
   .lua extension.  There is currently no way to specify or change that
   files name.
</p>
</li>
<li>
<p>
If a rule&#8217;s action is a custom ruletype, that rule action will be
   silently converted to the rultype&#8217;s <em>type</em>. No warnings or errors are
   currently emitted. Additionally, the custom ruletypes outputs will be
   silently discarded.
</p>
</li>
<li>
<p>
If the original configuration contains a binding that points to another
   file and the binding file contains an error, Snort2Lua will output the
   number of rejects for the binding file in addition to the number of
   rejects in the main file.  The two numbers will eventually be combined
   into one output.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_usage_2">Usage</h3>
<div class="paragraph"><p>Snort2Lua is included in the Snort 3 distribution. The Snort2Lua source
code is located in the tools/snort2lua directory. The program is
automatically built and installed.</p></div>
<div class="paragraph"><p>Translating your configuration</p></div>
<div class="paragraph"><p>To run Snort2Lua, the only requirement is a file containing Snort 2 syntax.
Assuming your configuration file is named snort.conf, run the command</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort2lua –c snort.conf</code></pre>
</div></div>
<div class="paragraph"><p>Snort2Lua will output a file named snort.lua. Assuming your snort.conf file
is a valid Snort 2 configuration file, than the resulting snort.lua file
will always be a valid Snort 3 configuration file; any errors that occur
are because Snort 3 currently does not support all of the Snort 2 options.</p></div>
<div class="paragraph"><p>Every keyword from the Snort configuration can be found in the output file.
If the option or keyword has changed, then a comment containing both the
option or keyword’s old name and new name will be present in the output
file.</p></div>
<div class="paragraph"><p>Translating a rule file</p></div>
<div class="paragraph"><p>Snort2Lua can also accommodate translating individual rule files. Assuming
the Snort 2 rule file is named snort.rules and you want the new rule file
to be name updated.rules, run the command</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort2lua –c snort.rules -r updated.rules</code></pre>
</div></div>
<div class="paragraph"><p>Snort2Lua will output a file named updated.rules. That file, updated.rules,
will always be a valid Snort 3 rule file. Any rule that contains
unsupported options will be a comment in the output file.</p></div>
<div class="paragraph"><p>Understanding the Output</p></div>
<div class="paragraph"><p>Although Snort2Lua outputs very little to the console, there are several
things that occur when Snort2Lua runs.  This is a list of Snort2Lua
outputs.</p></div>
<div class="paragraph"><p><em>The console</em>.   Every line that Snort2Lua is unable to translate from the
Snort 2.X format to the Snort 3 format is considered an error. Upon
exiting, Snort2Lua will print the number of errors that occurred. Snort2Lua
will also print the name of the error file.</p></div>
<div class="paragraph"><p><em>The output file</em>.  As previously mentioned, Snort2Lua will create a Lua
file with valid Snort 3 syntax.  The default Lua file is named snort.lua.
This file is the equivalent of your main Snort 2 configuration file.</p></div>
<div class="paragraph"><p><em>The rule file</em>.   By default, all rules will be printed to the Lua file.
However, if a rule file is specified on the command line, any rules found
in the Snort 2 configuration will be written to the rule file instead</p></div>
<div class="paragraph"><p><em>The error file</em>.  By default, the error file is snort.rej. It will only be
created if errors exist.  Every error referenced on the command line can be
found in this file.  There are two reasons an error can occur.</p></div>
<div class="ulist"><ul>
<li>
<p>
The Snort 2 configuration file has invalid syntax. If Snort 2 cannot
  parse the configuration file, neither can Snort2Lua.  In the example below,
  Snort2Lua could not convert the line <em>config bad_option</em>.  Since that is not
  valid Snort 2 syntax, this is a syntax error.
</p>
</li>
<li>
<p>
The Snort 2 configuration file contains preprocessors and rule options
  that are not supported in Snort 3.  If Snort 2 can parse a line that
  Snort2Lua cannot parse, than Snort 3 does not support something in the line.
  As Snort 3 begins supporting these preprocessors and rule options, Snort2Lua
  will also begin translating these lines. One example of such an error is
  dcerpc2.
</p>
</li>
</ul></div>
<div class="paragraph"><p>Additional .lua and .rules files. Every time Snort2Lua parses the include
or binding keyword, the program will attempt to parse the file referenced
by the keyword.  Snort2Lua will then create one or two new files.  The new
files will have a .lua or .rules extension appended to the original
filename.</p></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_extending_snort">Extending Snort</h2>
<div class="sectionbody">
<div class="sect2">
<h3 id="_plugins_3">Plugins</h3>
<div class="paragraph"><p>Plugins have an associated API defined for each type, all of which share a
common <em>header</em>, called the BaseApi.  A dynamic library makes its plugins
available by exporting the snort_plugins symbol, which is a null terminated
array of BaseApi pointers.</p></div>
<div class="paragraph"><p>The BaseApi includes type, name, API version, plugin version, and function
pointers for constructing and destructing a Module.  The specific API add
various other data and functions for their given roles.</p></div>
</div>
<div class="sect2">
<h3 id="_modules_2">Modules</h3>
<div class="paragraph"><p>If we are defining a new Inspector called, say, gadget, it might be
configured in snort.lua like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>gadget =
{
    brain = true,
    claw = 3
}</code></pre>
</div></div>
<div class="paragraph"><p>When the gadget table is processed, Snort will look for a module called
gadget.  If that Module has an associated API, it will be used to configure
a new instance of the plugin.  In this case, a GadgetModule would be
instantiated, brain and claw would be set, and the Module instance would be
passed to the GadgetInspector constructor.</p></div>
<div class="paragraph"><p>Module has three key virtual methods:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>begin()</strong> - called when Snort starts processing the associated Lua
  table.  This is a good place to allocate any required data and set
  defaults.
</p>
</li>
<li>
<p>
<strong>set()</strong> - called to set each parameter after validation.
</p>
</li>
<li>
<p>
<strong>end()</strong> - called when Snort finishes processing the associated Lua
  table.  This is where additional integrity checks of related parameters
  should be done.
</p>
</li>
</ul></div>
<div class="paragraph"><p>The configured Module is passed to the plugin constructor which pulls the
configuration data from the Module.  For non-trivial configurations, the
working paradigm is that Module hands a pointer to the configured data to
the plugin instance which takes ownership.</p></div>
<div class="paragraph"><p>Note that there is at most one instance of a given Module, even if multiple
plugin instances are created which use that Module.  (Multiple instances
require Snort binding configuration.)</p></div>
</div>
<div class="sect2">
<h3 id="_inspectors">Inspectors</h3>
<div class="paragraph"><p>There are several types of inspector, which determines which inspectors are
executed when:</p></div>
<div class="ulist"><ul>
<li>
<p>
IT_BINDER - determines which inspectors apply to given flows
</p>
</li>
<li>
<p>
IT_WIZARD - determines which service inspector to use if none explicitly
  bound
</p>
</li>
<li>
<p>
IT_PACKET - used to process all packets before session and service processing
  (e.g. normalize)
</p>
</li>
<li>
<p>
IT_NETWORK - processes packets w/o service (e.g. arp_spoof, back_orifice)
</p>
</li>
<li>
<p>
IT_STREAM - for flow tracking, ip defrag, and tcp reassembly
</p>
</li>
<li>
<p>
IT_SERVICE - for http, ftp, telnet, etc.
</p>
</li>
<li>
<p>
IT_PROBE - process all packets after all the above (e.g. perf_monitor,
  port_scan)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_codecs">Codecs</h3>
<div class="paragraph"><p>The Snort Codecs decipher raw packets. These Codecs are now completely
pluggable; almost every Snort Codec can be built dynamically and replaced
with an alternative, customized Codec. The pluggable nature has also made
it easier to build new Codecs for protocols without having to touch the
Snort code base.</p></div>
<div class="paragraph"><p>The first step in creating a Codec is defining its class and protocol.
Every Codec must inherit from the Snort Codec class defined in
"framework/codec.h". The following is an example Codec named "example" and
has an associated struct that is 14 bytes long.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>#include &lt;cstdint&gt;
#include &lt;arpa/inet.h&gt;
#include “framework/codec.h”
#include "main/snort_types.h"</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>#define EX_NAME “example”
#define EX_HELP “example codec help string”</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>struct Example
{
    uint8_t dst[6];
    uint8_t src[6];
    uint16_t ethertype;</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>    static inline uint8_t size()
    { return 14; }
}</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>class ExCodec : public Codec
{
public:
    ExCodec() : Codec(EX_NAME) { }
    ~ExCodec() { }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>    bool decode(const RawData&amp;, CodecData&amp;, DecodeData&amp;) override;
    void get_protocol_ids(std::vector&lt;uint16_t&gt;&amp;) override;
};</code></pre>
</div></div>
<div class="paragraph"><p>After defining ExCodec, the next step is adding the Codec&#8217;s decode
functionality. The function below does this by implementing a valid decode
function. The first parameter, which is the RawData struct, provides both a
pointer to the raw data that has come from a wire and the length of that raw
data. The function takes this information and validates that there are enough
bytes for this protocol. If the raw data&#8217;s length is less than 14 bytes, the
function returns false and Snort discards the packet; the packet is neither
inspected nor processed. If the length is greater than 14 bytes, the function
populates two fields in the CodecData struct, next_prot_id and lyr_len. The
lyr_len field tells Snort the number of bytes that this layer contains. The
next_prot_id field provides Snort the value of the next EtherType or IP
protocol number.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>bool ExCodec::decode(const RawData&amp; raw, CodecData&amp; codec, DecodeData&amp;)
{
   if ( raw.len &lt; Example::size() )
       return false;</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>    const Example* const ex = reinterpret_cast&lt;const Example*&gt;(raw.data);
    codec.next_prot_id = ntohs(ex-&gt;ethertype);
    codec.lyr_len = ex-&gt;size();
    return true;
}</code></pre>
</div></div>
<div class="paragraph"><p>For instance, assume this decode function receives the following raw data with
a validated length of 32 bytes:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>00 11 22 33 44 55 66 77    88 99 aa bb 08 00 45 00
00 38 00 01 00 00 40 06    5c ac 0a 01 02 03 0a 09</code></pre>
</div></div>
<div class="paragraph"><p>The Example struct&#8217;s EtherType field is the 13 and 14 bytes. Therefore, this
function tells Snort that the next protocol has an EtherType of 0x0800.
Additionally, since the lyr_len is set to 14, Snort knows that the next
protocol begins 14 bytes after the beginning of this protocol. The Codec with
EtherType 0x0800, which happens to be the IPv4 Codec, will receive the
following data with a validated length of 18 ( == 32 – 14):</p></div>
<div class="literalblock">
<div class="content">
<pre><code>45 00 00 38 00 01 00 00    40 06 5c ac 0a 01 02 03
0a 09</code></pre>
</div></div>
<div class="paragraph"><p>How does Snort know that the IPv4 Codec has an EtherType of 0x0800? The
Codec class has a second virtual function named get_protocol_ids(). When
implementing the function, a Codec can register for any number of values
between 0x0000 - 0xFFFF. Then, if the next_proto_id is set to a value for which
this Codec has registered, this Codec&#8217;s decode function will be called. As a
general note, the protocol ids between [0, 0x00FF] are IP protocol numbers,
[0x0100, 0x05FF] are custom types, and [0x0600, 0xFFFF] are EtherTypes.</p></div>
<div class="paragraph"><p>For example, in the get_protocol_ids function below, the ExCodec registers for
the protocols numbers 17, 787, and 2054. 17 happens to be the protocol number
for UDP while 2054 is ARP&#8217;s EtherType. Therefore, this Codec will now attempt
to decode UDP and ARP data. Additionally, if any Codec sets the
next_protocol_id to 787, ExCodec&#8217;s decode function will be called. Some custom
protocols are already defined in the file "protocols/protocol_ids.h"</p></div>
<div class="literalblock">
<div class="content">
<pre><code>void ExCodec::get_protocol_ids(std::vector&lt;uint16_t&gt;&amp;v)
{
    v.push_back(0x0011); // == 17  == UDP
    v.push_back(0x1313); // == 787  == custom
    v.push_back(0x0806); // == 2054  == ARP
}</code></pre>
</div></div>
<div class="paragraph"><p>To register a Codec for Data Link Type&#8217;s rather than protocols, the function
get_data_link_type() can be similarly implemented.</p></div>
<div class="paragraph"><p>The final step to creating a pluggable Codec is the snort_plugins array. This
array is important because when Snort loads a dynamic library, the program
only find plugins that are inside the snort_plugins array. In other words, if a
plugin has not been added to the snort_plugins array, that plugin will not be
loaded into Snort.</p></div>
<div class="paragraph"><p>Although the details will not be covered in this post, the following code
snippet is a basic CodecApi that Snort can load. This snippet can be copied
and used with only three minor changes. First, in the function ctor, ExCodec
should be replaced with the name of the Codec that is being built. Second,
EX_NAME must match the Codec&#8217;s name or Snort will be unable to load this Codec.
Third, EX_HELP should be replaced with the general description of this Codec.
Once this code snippet has been added, ExCodec is ready to be compiled and
plugged into Snort.</p></div>
<div class="literalblock">
<div class="content">
<pre><code>static Codec* ctor(Module*)
{ return new ExCodec; }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>static void dtor(Codec *cd)
{ delete cd; }</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>static const CodecApi ex_api =
{
    {
        PT_CODEC,
        EX_NAME,
        EX_HELP,
        CDAPI_PLUGIN_V0,
        0,
        nullptr,
        nullptr,
    },
    nullptr, // pointer to a function called during Snort's startup.
    nullptr, // pointer to a function called during Snort's exit.
    nullptr, // pointer to a function called during thread's startup.
    nullptr, // pointer to a function called during thread's destruction.
    ctor, // pointer to the codec constructor.
    dtor, // pointer to the codec destructor.
};</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>SO_PUBLIC const BaseApi* snort_plugins[] =
{
    &amp;ex_api.base,
    nullptr
};</code></pre>
</div></div>
<div class="paragraph"><p>Two example Codecs are available in the extra directory on git and the extra
tarball on the Snort page. One of those examples is the Token Ring Codec
while the other example is the PIM Codec.</p></div>
<div class="paragraph"><p>As a final note, there are four more virtual functions that a Codec should
implement: encode, format, update, and log. If the functions are not
implemented Snort will not throw any errors. However, Snort may also be unable
to accomplish some of its basic functionality.</p></div>
<div class="ulist"><ul>
<li>
<p>
encode is called whenever Snort actively responds and needs to builds a
  packet, i.e. whenever a rule using an IPS ACTION like react, reject, or rewrite
  is triggered. This function is used to build the response packet protocol by
  protocol.
</p>
</li>
<li>
<p>
format is called when Snort is rebuilding a packet. For instance, every time
  Snort reassembles a TCP stream or IP fragment, format is called. Generally,
  this function either swaps any source and destination fields in the protocol or
  does nothing.
</p>
</li>
<li>
<p>
update is similar to format in that it is called when Snort is reassembling a
  packet. Unlike format, this function only sets length fields.
</p>
</li>
<li>
<p>
log is called when either the log_codecs logger or a custom logger that calls
  PacketManager::log_protocols is used when running Snort.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_ips_actions">IPS Actions</h3>
<div class="paragraph"><p>Action plugins specify a builtin action in the API which is used to
determine verdict.  (Conversely, builtin actions don&#8217;t have an associated
plugin function.)</p></div>
</div>
<div class="sect2">
<h3 id="_piglet_test_harness">Piglet Test Harness</h3>
<div class="paragraph"><p>In order to assist with plugin development, an experimental mode called "piglet" mode
is provided. With piglet mode, you can call individual methods for a specific plugin.
The piglet tests are specified as Lua scripts. Each piglet test script defines a test
for a specific plugin.</p></div>
<div class="paragraph"><p>Here is a minimal example of a piglet test script for the IPv4 Codec plugin:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>plugin =
{
    type = "piglet",
    name = "codec::ipv4",
    use_defaults = true,
    test = function()
        local daq_header = DAQHeader.new()
        local raw_buffer = RawBuffer.new("some data")
        local codec_data = CodecData.new()
        local decode_data = DecodeData.new()</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>        return Codec.decode(
            daq_header,
            raw_buffer,
            codec_data,
            decode_data
        )
    end
}</code></pre>
</div></div>
<div class="paragraph"><p>To run snort in piglet mode, first build snort with the ENABLE_PIGLET option turned on
(pass the flag -DENABLE_PIGLET:BOOL=ON in cmake).</p></div>
<div class="paragraph"><p>Then, run the following command:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>snort --script-path $test_scripts --piglet</code></pre>
</div></div>
<div class="paragraph"><p>(where $test_scripts is the directory containing your piglet tests).</p></div>
<div class="paragraph"><p>The test runner will generate a check-like output, indicating the
the results of each test script.</p></div>
</div>
<div class="sect2">
<h3 id="_piglet_lua_api">Piglet Lua API</h3>
<div class="paragraph"><p>This section documents the API that piglet exposes to Lua.
Refer to the piglet directory in the source tree for examples of usage.</p></div>
<div class="paragraph"><p>Note: Because of the differences between the Lua and C++ data model and type
system, not all parameters map directly to the parameters of the underlying
C\++ member functions. Every effort has been made to keep the mappings consist,
but there are still some differences. They are documented below.</p></div>
<div class="sect3">
<h4 id="_plugin_instances">Plugin Instances</h4>
<div class="paragraph"><p>For each test, piglet instantiates plugin specified in the <code>name</code> field of the
<code>plugin</code> table. The virtual methods of the instance are exposed in a table
unique to each plugin type. The name of the table is the CamelCase name of the
plugin type.</p></div>
<div class="paragraph"><p>For example, codec plugins have a virtual method called <code>decode</code>. This method
is called like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>Codec.decode(...)</code></pre>
</div></div>
<div class="paragraph"><p><strong>Codec</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>Codec.get_data_link_type() &#8594; { int, int, &#8230; }</code>
</p>
</li>
<li>
<p>
<code>Codec.get_protocol_ids() &#8594; { int, int, &#8230; }</code>
</p>
</li>
<li>
<p>
<code>Codec.decode(DAQHeader, RawBuffer, CodecData, DecodeData) &#8594; bool</code>
</p>
</li>
<li>
<p>
<code>Codec.log(RawBuffer, uint[lyr_len])</code>
</p>
</li>
<li>
<p>
<code>Codec.encode(RawBuffer, EncState, Buffer) &#8594; bool</code>
</p>
</li>
<li>
<p>
<code>Codec.update(uint[flags_hi], uint[flags_lo], RawBuffer, uint[lyr_len] &#8594; int</code>
</p>
</li>
<li>
<p>
<code>Codec.format(bool[reverse], RawBuffer, DecodeData)</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p>Differences:</p></div>
<div class="ulist"><ul>
<li>
<p>
In <code>Codec.update()</code>, the <code>(uint64_t) flags</code> parameter has been split into
<code>flags_hi</code> and <code>flags_lo</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>Inspector</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>Inspector.configure()</code>
</p>
</li>
<li>
<p>
<code>Inspector.tinit()</code>
</p>
</li>
<li>
<p>
<code>Inspector.tterm()</code>
</p>
</li>
<li>
<p>
<code>Inspector.likes(Packet)</code>
</p>
</li>
<li>
<p>
<code>Inspector.eval(Packet)</code>
</p>
</li>
<li>
<p>
<code>Inspector.clear(Packet)</code>
</p>
</li>
<li>
<p>
<code>Inspector.get_buf_from_key(string[key], Packet, RawBuffer) &#8594; bool</code>
</p>
</li>
<li>
<p>
<code>Inspector.get_buf_from_id(uint[id], Packet, RawBuffer) &#8594; bool</code>
</p>
</li>
<li>
<p>
<code>Inspector.get_buf_from_type(uint[type], Packet, RawBuffer) &#8594; bool</code>
</p>
</li>
<li>
<p>
<code>Inspector.get_splitter(bool[to_server]) &#8594; StreamSplitter</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p>Differences:
* In <code>Inspector.configure()</code>, the <code>SnortConfig*</code> parameter is passed implicitly.
* the overloaded <code>get_buf()</code> member function has been split into three separate methods.</p></div>
<div class="paragraph"><p><strong>IpsOption</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>IpsOption.hash() &#8594; int</code>
</p>
</li>
<li>
<p>
<code>IpsOption.is_relative() &#8594; bool</code>
</p>
</li>
<li>
<p>
<code>IpsOption.fp_research() &#8594; bool</code>
</p>
</li>
<li>
<p>
<code>IpsOption.get_cursor_type() &#8594; int</code>
</p>
</li>
<li>
<p>
<code>IpsOption.eval(Cursor, Packet) &#8594; int</code>
</p>
</li>
<li>
<p>
<code>IpsOption.action(Packet)</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>IpsAction</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>IpsAction.exec(Packet)</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>Logger</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>Logger.open()</code>
</p>
</li>
<li>
<p>
<code>Logger.close()</code>
</p>
</li>
<li>
<p>
<code>Logger.reset()</code>
</p>
</li>
<li>
<p>
<code>Logger.alert(Packet, string[message], Event)</code>
</p>
</li>
<li>
<p>
<code>Logger.log(Packet, string[message], Event)</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>SearchEngine</strong></p></div>
<div class="paragraph"><p>Currently, SearchEngine does not expose any methods.</p></div>
<div class="paragraph"><p><strong>SoRule</strong></p></div>
<div class="paragraph"><p>Currently, SoRule does not expose any methods.</p></div>
<div class="sect4">
<h5 id="_interface_objects">Interface Objects</h5>
<div class="paragraph"><p>Many of the plugins take C++ classes and structs as arguments. These objects
are exposed to the Lua API as Lua userdata. Exposed objects are instantiated
by calling the <code>new</code> method from each object&#8217;s method table.</p></div>
<div class="paragraph"><p>For example, the DecodeData object can be instantiated and exposed to Lua
like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>local decode_data = DecodeData.new(...)</code></pre>
</div></div>
<div class="paragraph"><p>Each object also exposes useful methods for getting and setting member variables,
and calling the C++ methods contained in the the object. These methods can
be accessed using the <code>:</code> accessor syntax:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>decode_data:set({ sp = 80, dp = 3500 })</code></pre>
</div></div>
<div class="paragraph"><p>Since this is just syntactic sugar for passing the object as the first parameter
of the function <code>DecodeData.set</code>, an equivalent form is:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>decode_data.set(decode_data, { sp = 80, dp = 3500 })</code></pre>
</div></div>
<div class="paragraph"><p>or even:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>DecodeData.set(decode_data, { sp = 80, dp = 3500 })</code></pre>
</div></div>
<div class="paragraph"><p><strong>Buffer</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>Buffer.new(string[data]) &#8594; Buffer</code>
</p>
</li>
<li>
<p>
<code>Buffer.new(uint[length]) &#8594; Buffer</code>
</p>
</li>
<li>
<p>
<code>Buffer.new(RawBuffer) &#8594; Buffer</code>
</p>
</li>
<li>
<p>
<code>Buffer:allocate(uint[length]) &#8594; bool</code>
</p>
</li>
<li>
<p>
<code>Buffer:clear()</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>CodecData</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>CodecData.new() &#8594; CodecData</code>
</p>
</li>
<li>
<p>
<code>CodecData.new(uint[next_prot_id]) &#8594; CodecData</code>
</p>
</li>
<li>
<p>
<code>CodecData.new(fields) &#8594; CodecData</code>
</p>
</li>
<li>
<p>
<code>CodecData:get() &#8594; fields</code>
</p>
</li>
<li>
<p>
<code>CodecData:set(fields)</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>
<div class="ulist"><ul>
<li>
<p>
<code>next_prot_id</code>
</p>
</li>
<li>
<p>
<code>lyr_len</code>
</p>
</li>
<li>
<p>
<code>invalid_bytes</code>
</p>
</li>
<li>
<p>
<code>proto_bits</code>
</p>
</li>
<li>
<p>
<code>codec_flags</code>
</p>
</li>
<li>
<p>
<code>ip_layer_cnt</code>
</p>
</li>
<li>
<p>
<code>ip6_extension_count</code>
</p>
</li>
<li>
<p>
<code>curr_ip6_extension</code>
</p>
</li>
<li>
<p>
<code>ip6_csum_proto</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>Cursor</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>Cursor.new() &#8594; Cursor</code>
</p>
</li>
<li>
<p>
<code>Cursor.new(Packet) &#8594; Cursor</code>
</p>
</li>
<li>
<p>
<code>Cursor.new(string[data]) &#8594; Cursor</code>
</p>
</li>
<li>
<p>
<code>Cursor.new(RawBuffer) &#8594; Cursor</code>
</p>
</li>
<li>
<p>
<code>Cursor:reset()</code>
</p>
</li>
<li>
<p>
<code>Cursor:reset(Packet)</code>
</p>
</li>
<li>
<p>
<code>Cursor:reset(string[data])</code>
</p>
</li>
<li>
<p>
<code>Cursor:reset(RawBuffer)</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>DAQHeader</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>DAQHeader.new() &#8594; DAQHeader</code>
</p>
</li>
<li>
<p>
<code>DAQHeader.new(fields) &#8594; DAQHeader</code>
</p>
</li>
<li>
<p>
<code>DAQHeader:get() &#8594; fields</code>
</p>
</li>
<li>
<p>
<code>DAQHeader:set(fields)</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>
<div class="ulist"><ul>
<li>
<p>
<code>caplen</code>
</p>
</li>
<li>
<p>
<code>pktlen</code>
</p>
</li>
<li>
<p>
<code>ingress_index</code>
</p>
</li>
<li>
<p>
<code>egress_index</code>
</p>
</li>
<li>
<p>
<code>ingress_group</code>
</p>
</li>
<li>
<p>
<code>egress_group</code>
</p>
</li>
<li>
<p>
<code>flags</code>
</p>
</li>
<li>
<p>
<code>opaque</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>DecodeData</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>DecodeData.new() &#8594; DecodeData</code>
</p>
</li>
<li>
<p>
<code>DecodeData.new(fields) &#8594; DecodeData</code>
</p>
</li>
<li>
<p>
<code>DecodeData:reset()</code>
</p>
</li>
<li>
<p>
<code>DecodeData:get() &#8594; fields</code>
</p>
</li>
<li>
<p>
<code>DecodeData:set(fields)</code>
</p>
</li>
<li>
<p>
<code>DecodeData:set_ipv4_hdr(RawBuffer, uint[offset])</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>
<div class="ulist"><ul>
<li>
<p>
<code>sp</code>
</p>
</li>
<li>
<p>
<code>dp</code>
</p>
</li>
<li>
<p>
<code>decode_flags</code>
</p>
</li>
<li>
<p>
<code>type</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>EncState</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>EncState.new() &#8594; EncState</code>
</p>
</li>
<li>
<p>
<code>EncState.new(uint[flags_lo]) &#8594; EncState</code>
</p>
</li>
<li>
<p>
<code>EncState.new(uint[flags_lo], uint[flags_hi]) &#8594; EncState</code>
</p>
</li>
<li>
<p>
<code>EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto]) &#8594; EncState</code>
</p>
</li>
<li>
<p>
<code>EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto], uint[ttl]) &#8594; EncState</code>
</p>
</li>
<li>
<p>
<code>EncState.new(uint[flags_lo], uint[flags_hi], uint[next_proto], uint[ttl], uint[dsize]) &#8594; EncState</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>Event</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>Event.new() &#8594; Event</code>
</p>
</li>
<li>
<p>
<code>Event.new(fields) &#8594; Event</code>
</p>
</li>
<li>
<p>
<code>Event:get() &#8594; fields</code>
</p>
</li>
<li>
<p>
<code>Event:set(fields)</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>
<div class="ulist"><ul>
<li>
<p>
<code>event_id</code>
</p>
</li>
<li>
<p>
<code>event_reference</code>
</p>
</li>
<li>
<p>
<code>sig_info</code>
</p>
<div class="ulist"><ul>
<li>
<p>
<code>generator</code>
</p>
</li>
<li>
<p>
<code>id</code>
</p>
</li>
<li>
<p>
<code>rev</code>
</p>
</li>
<li>
<p>
<code>class_id</code>
</p>
</li>
<li>
<p>
<code>priority</code>
</p>
</li>
<li>
<p>
<code>text_rule</code>
</p>
</li>
<li>
<p>
<code>num_services</code>
</p>
</li>
</ul></div>
</li>
</ul></div>
<div class="paragraph"><p><strong>Flow</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>Flow.new() &#8594; Flow</code>
</p>
</li>
<li>
<p>
<code>Flow:reset()</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>Packet</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>Packet.new() &#8594; Packet</code>
</p>
</li>
<li>
<p>
<code>Packet.new(string[data]) &#8594; Packet</code>
</p>
</li>
<li>
<p>
<code>Packet.new(uint[size]) &#8594; Packet</code>
</p>
</li>
<li>
<p>
<code>Packet.new(fields) &#8594; Packet</code>
</p>
</li>
<li>
<p>
<code>Packet.new(RawBuffer) &#8594; Packet</code>
</p>
</li>
<li>
<p>
<code>Packet.new(DAQHeader) &#8594; Packet</code>
</p>
</li>
<li>
<p>
<code>Packet:set_decode_data(DecodeData)</code>
</p>
</li>
<li>
<p>
<code>Packet:set_data(uint[offset], uint[length])</code>
</p>
</li>
<li>
<p>
<code>Packet:set_flow(Flow)</code>
</p>
</li>
<li>
<p>
<code>Packet:get() &#8594; fields</code>
</p>
</li>
<li>
<p>
<code>Packet:set() </code>
</p>
</li>
<li>
<p>
<code>Packet:set(string[data]) </code>
</p>
</li>
<li>
<p>
<code>Packet:set(uint[size]) </code>
</p>
</li>
<li>
<p>
<code>Packet:set(fields) </code>
</p>
</li>
<li>
<p>
<code>Packet:set(RawBuffer) </code>
</p>
</li>
<li>
<p>
<code>Packet:set(DAQHeader) </code>
</p>
</li>
</ul></div>
<div class="paragraph"><p><code>fields</code> is a table with the following contents:</p></div>
<div class="ulist"><ul>
<li>
<p>
<code>packet_flags</code>
</p>
</li>
<li>
<p>
<code>xtradata_mask</code>
</p>
</li>
<li>
<p>
<code>proto_bits</code>
</p>
</li>
<li>
<p>
<code>application_protocol_ordinal</code>
</p>
</li>
<li>
<p>
<code>alt_dsize</code>
</p>
</li>
<li>
<p>
<code>num_layers</code>
</p>
</li>
<li>
<p>
<code>iplist_id</code>
</p>
</li>
<li>
<p>
<code>user_policy_id</code>
</p>
</li>
<li>
<p>
<code>ps_proto</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p>Note: <code>Packet.new()</code> and <code>Packet:set()</code> accept multiple arguments of the
types described above in any order</p></div>
<div class="paragraph"><p><strong>RawBuffer</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>RawBuffer.new() &#8594; RawBuffer</code>
</p>
</li>
<li>
<p>
<code>RawBuffer.new(uint[size]) &#8594; RawBuffer</code>
</p>
</li>
<li>
<p>
<code>RawBuffer.new(string[data]) &#8594; RawBuffer</code>
</p>
</li>
<li>
<p>
<code>RawBuffer:size() &#8594; int</code>
</p>
</li>
<li>
<p>
<code>RawBuffer:resize(uint[size])</code>
</p>
</li>
<li>
<p>
<code>RawBuffer:write(string[data])</code>
</p>
</li>
<li>
<p>
<code>RawBuffer:write(string[data], uint[size])</code>
</p>
</li>
<li>
<p>
<code>RawBuffer:read() &#8594; string</code>
</p>
</li>
<li>
<p>
<code>RawBuffer:read(uint[end]) &#8594; string</code>
</p>
</li>
<li>
<p>
<code>RawBuffer:read(uint[start], uint[end]) &#8594; string</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p>Note: calling <code>RawBuffer.new()</code> with no arguments returns a RawBuffer of size 0</p></div>
<div class="paragraph"><p><strong>StreamSplitter</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
<code>StreamSplitter:scan(Flow, RawBuffer) &#8594; int, int</code>
</p>
</li>
<li>
<p>
<code>StreamSplitter:scan(Flow, RawBuffer, uint[len]) &#8594; int, int</code>
</p>
</li>
<li>
<p>
<code>StreamSplitter:scan(Flow, RawBuffer, uint[len], uint[flags]) &#8594; int, int</code>
</p>
</li>
<li>
<p>
<code>StreamSplitter:reassemble(Flow, uint[total], uint[offset], RawBuffer) &#8594; int, RawBuffer</code>
</p>
</li>
<li>
<p>
<code>StreamSplitter:reassemble(Flow, uint[total], uint[offset], RawBuffer, uint[len]) &#8594; int, RawBuffer</code>
</p>
</li>
<li>
<p>
<code>StreamSplitter:reassemble(Flow, uint[total], uint[offset], RawBuffer, uint[len], uint[flags]) &#8594; int, RawBuffer</code>
</p>
</li>
<li>
<p>
<code>StreamSplitter:finish(Flow) &#8594; bool</code>
</p>
</li>
</ul></div>
<div class="paragraph"><p>Note: StreamSplitter does not have a <code>new()</code> method, it must be created by an inspector via
<code>Inspector.get_splitter()</code></p></div>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_developers_guide">Developers Guide</h3>
<div class="paragraph"><p>Run doc/dev_guide.sh to generate /tmp/dev_guide.html, an annotated guide to
the source tree.</p></div>
</div>
<div class="sect2">
<h3 id="_performance_considerations_for_developers">Performance Considerations for Developers</h3>
<div class="ulist"><ul>
<li>
<p>
Since C compilers evaluate compound conditional expression from left to
  right, put the costly condition last. Put the often-false condition first
  in &amp;&amp; expression. Put the often-true condition first in || expression.
</p>
</li>
<li>
<p>
Use emplace_back/emplace instead of push_back/insert on STL containers.
</p>
</li>
<li>
<p>
In general, unordered_map is faster than map for frequent lookups using
  integer key on relatively static collection of unsorted elements. Whereas,
  map is faster for frequent insertions/deletions/iterations and for
  non-integer key such as string or custom objects. Consider the same factors
  when deciding ordered vs. unordered multimap and set.
</p>
</li>
<li>
<p>
Iterate using range-based for loop with reference (i.e., auto&amp;).
</p>
</li>
<li>
<p>
Be mindful of construction and destruction of temporary objects which can
  be wasteful. Consider using std::move, std::swap, lvalue reference (&amp;),
  and rvalue reference (&amp;&amp;).
</p>
</li>
<li>
<p>
Avoid thread-local storage. When unavoidable, minimize frequent TLS access
  by caching it to a local variable.
</p>
</li>
<li>
<p>
When writing inter-library APIs, consider interfaces depending on use cases
  to minimize context switching. For example, if two APIs foo() and bar() are
  needed to call, combine these into a single API to minimize jumps.
</p>
</li>
</ul></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_coding_style">Coding Style</h2>
<div class="sectionbody">
<div class="paragraph"><p>All new code should try to follow these style guidelines.  These are not
yet firm so feedback is welcome to get something we can live with.</p></div>
<div class="sect2">
<h3 id="_general">General</h3>
<div class="ulist"><ul>
<li>
<p>
Generally try to follow
  <a href="https://google.github.io/styleguide/cppguide.html">https://google.github.io/styleguide/cppguide.html</a>,
  but there are some differences documented here.
</p>
</li>
<li>
<p>
Each source directory should have a dev_notes.txt file summarizing the
  key points and design decisions for the code in that directory.  These
  are built into the developers guide.
</p>
</li>
<li>
<p>
Makefile.am and CMakeLists.txt should have the same files listed in alpha
  order.  This makes it easier to maintain both build systems.
</p>
</li>
<li>
<p>
All new code must come with unit tests providing 95% coverage or better.
</p>
</li>
<li>
<p>
Generally, Catch is preferred for tests in the source file and CppUTest
  is preferred for test executables in a test subdirectory.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_c_specific">C++ Specific</h3>
<div class="ulist"><ul>
<li>
<p>
Do not use exceptions.  Exception-safe code is non-trivial and we have
  ported legacy code that makes use of exceptions unwise.  There are a few
  exceptions to this rule for the memory manager, shell, etc.  Other code
  should handle errors as errors.
</p>
</li>
<li>
<p>
Do not use dynamic_cast or RTTI.  Although compilers are getting better
  all the time, there is a time and space cost to this that is easily
  avoided.
</p>
</li>
<li>
<p>
Use smart pointers judiciously as they aren&#8217;t free.  If you would have to
  roll your own, then use a smart pointer.  If you just need a dtor to
  delete something, write the dtor.
</p>
</li>
<li>
<p>
Prefer <em>and</em> over &amp;&amp; and <em>or</em> over || for new source files.
</p>
</li>
<li>
<p>
Use nullptr instead of NULL.
</p>
</li>
<li>
<p>
Use new, delete, and their [] counterparts instead of malloc and free
  except where realloc must be used.  But try not to use realloc.  New and
  delete can&#8217;t return nullptr so no need to check.  And Snort&#8217;s memory
  manager will ensure that we live within our memory budget.
</p>
</li>
<li>
<p>
Use references in lieu of pointers wherever possible.
</p>
</li>
<li>
<p>
Use the order public, protected, private top to bottom in a class
  declaration.
</p>
</li>
<li>
<p>
Keep inline functions in a class declaration very brief, preferably just
  one line.  If you need a more complex inline function, move the
  definition below the class declaration.
</p>
</li>
<li>
<p>
The goal is to have highly readable class declarations.  The user
  shouldn&#8217;t have to sift through implementation details to see what is
  available to the client.
</p>
</li>
<li>
<p>
Any using statements in source files should be added only after all
  includes have been declared.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_naming">Naming</h3>
<div class="ulist"><ul>
<li>
<p>
Use camel case for namespaces, classes, and types like WhizBangPdfChecker.
</p>
</li>
<li>
<p>
Use lower case identifiers with underscore separators, e.g. some_function()
  and my_var.
</p>
</li>
<li>
<p>
Do not start or end variable names with an underscore.  This has a good
  chance of conflicting with macro and/or system definitions.
</p>
</li>
<li>
<p>
Use lower case filenames with underscores.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_comments">Comments</h3>
<div class="ulist"><ul>
<li>
<p>
Write comments sparingly with a mind towards future proofing.  Often the
  comments can be obviated with better code.  Clear code is better than a
  comment.
</p>
</li>
<li>
<p>
Heed Tim Ottinger&#8217;s Rules on Comments (<a href="https://disqus.com/by/tim_ottinger/">https://disqus.com/by/tim_ottinger/</a>):
</p>
<div class="olist arabic"><ol class="arabic">
<li>
<p>
Comments should only say what the code is incapable of saying.
</p>
</li>
<li>
<p>
Comments that repeat (or pre-state) what the code is doing must be
       removed.
</p>
</li>
<li>
<p>
If the code CAN say what the comment is saying, it must be changed at
       least until rule #2 is in force.
</p>
</li>
</ol></div>
</li>
<li>
<p>
Function comment blocks are generally just noise that quickly becomes
  obsolete.  If you absolutely must comment on parameters, put each on a
  separate line along with the comment.  That way changing the signature
  may prompt a change to the comments too.
</p>
</li>
<li>
<p>
Use FIXIT (not FIXTHIS or TODO or whatever) to mark things left for a
  day or even just a minute.  That way we can find them easily and won&#8217;t
  lose track of them.
</p>
</li>
<li>
<p>
Presently using FIXIT-X where X = A | W | P | H | M | L, indicating analysis,
  warning, perf, high, med, or low priority.  Place A and W comments on the
  exact warning line so we can match up comments and build output.  Supporting
  comments can be added above.
</p>
</li>
<li>
<p>
Put the copyright(s) and license in a comment block at the top of each
  source file (.h and .cc).  Don&#8217;t bother with trivial scripts and make
  foo.  Some interesting Lua code should get a comment block too.  Copy and
  paste exactly from src/main.h (don&#8217;t reformat).
</p>
</li>
<li>
<p>
Put author, description, etc. in separate comment(s) following the
  license.  Do not put such comments in the middle of the license foo.
  Be sure to put the author line ahead of the header guard to exclude them
  from the developers guide.  Use the following format, and include a
  mention to the original author if this is derived work:
</p>
<div class="literalblock">
<div class="content">
<pre><code>// ips_dnp3_obj.cc author Maya Dagon &lt;mdagon@cisco.com&gt;
// based on work by Ryan Jordan</code></pre>
</div></div>
</li>
<li>
<p>
Each header should have a comment immediately after the header guard to
  give an overview of the file so the reader knows what&#8217;s going on.
</p>
</li>
<li>
<p>
Use the following comment on switch cases that intentionally fall through
  to the next case to suppress compiler warning on known valid cases:
</p>
<div class="literalblock">
<div class="content">
<pre><code>// fallthrough</code></pre>
</div></div>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_logging">Logging</h3>
<div class="ulist"><ul>
<li>
<p>
Messages intended for the user should not look like debug messages. Eg,
  the function name should not be included.  It is generally unhelpful to
  include pointers.
</p>
</li>
<li>
<p>
Most debug messages should just be deleted.
</p>
</li>
<li>
<p>
Don&#8217;t bang your error messages (no !).  The user feels bad enough about the
  problem already w/o you shouting at him.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_types">Types</h3>
<div class="ulist"><ul>
<li>
<p>
Use logical types to make the code clearer and to help the compiler catch
  problems.  typedef uint16_t Port; bool foo(Port) is way better than
  int foo(int port).
</p>
</li>
<li>
<p>
Use forward declarations (e.g. struct SnortConfig;) instead of void*.
</p>
</li>
<li>
<p>
Try not to use extern data unless absolutely necessary and then put the
  extern in an appropriate header.  Exceptions for things used in exactly
  one place like BaseApi pointers.
</p>
</li>
<li>
<p>
Use const liberally.  In most cases, const char* s = "foo" should be
  const char* const s = "foo".  The former goes in the initialized data
  section and the latter in read only data section.
</p>
</li>
<li>
<p>
But use const char s[] = "foo" instead of const char* s = "foo" when
  possible.  The latter form allocates a pointer variable and the data
  while the former allocates only the data.
</p>
</li>
<li>
<p>
Use static wherever possible to minimize public symbols and eliminate
  unneeded relocations.
</p>
</li>
<li>
<p>
Declare functions virtual only in the parent class introducing the
  function (not in a derived class that is overriding the function).
  This makes it clear which class introduces the function.
</p>
</li>
<li>
<p>
Declare functions as override if they are intended to override a
  function.  This makes it possible to find derived implementations that
  didn&#8217;t get updated and therefore won&#8217;t get called due a change in the
  parent signature.
</p>
</li>
<li>
<p>
Use bool functions instead of int unless there is truly a need for
  multiple error returns.  The C-style use of zero for success and -1 for
  error is less readable and often leads to messy code that either ignores
  the various errors anyway or needlessly and ineffectively tries to do
  something about them.  Generally that code is not updated if new errors
  are added.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_macros_aka_defines">Macros (aka defines)</h3>
<div class="ulist"><ul>
<li>
<p>
In many cases, even in C++, use #define name "value" instead of a
  const char* const name = "value" because it will eliminate a symbol from
  the binary.
</p>
</li>
<li>
<p>
Use inline functions instead of macros where possible (pretty much all
  cases except where stringification is necessary).  Functions offer better
  typing, avoid re-expansions, and a debugger can break there.
</p>
</li>
<li>
<p>
All macros except simple const values should be wrapped in () and all
  args should be wrapped in () too to avoid surprises upon expansion.
  Example:
</p>
<div class="literalblock">
<div class="content">
<pre><code>#define SEQ_LT(a,b)  ((int)((a) - (b)) &lt;  0)</code></pre>
</div></div>
</li>
<li>
<p>
Multiline macros should be blocked (i.e. inside { }) to avoid if-else type
  surprises.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_formatting">Formatting</h3>
<div class="ulist"><ul>
<li>
<p>
Try to keep all source files under 2500 lines.  3000 is the max allowed.
  If you need more lines, chances are that the code needs to be refactored.
</p>
</li>
<li>
<p>
Indent 4 space chars &#8230; no tabs!
</p>
</li>
<li>
<p>
If you need to indent many times, something could be rewritten or
  restructured to make it clearer.  Fewer indents is generally easier to
  write, easier to read, and overall better code.
</p>
</li>
<li>
<p>
Braces go on the line immediately following a new scope (function
  signature, if, else, loop, switch, etc.
</p>
</li>
<li>
<p>
Use consistent spacing and line breaks.  Always indent 4 spaces from the
  breaking line.  Keep lines less than 100 chars; it greatly helps
  readability.
</p>
<div class="literalblock">
<div class="content">
<pre><code>No:
    calling_a_func_with_a_long_name(arg1,
                                    arg2,
                                    arg3);</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>Yes:
    calling_a_func_with_a_long_name(
        arg1, arg2, arg3);</code></pre>
</div></div>
</li>
<li>
<p>
Put function signature on one line, except when breaking for the arg
  list:
</p>
<div class="literalblock">
<div class="content">
<pre><code>No:
    inline
    bool foo()
    { // ...</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>Yes:
    inline bool foo()
    { // ...</code></pre>
</div></div>
</li>
<li>
<p>
Put conditional code on the line following the if so it is easy to break
  on the conditional block:
</p>
<div class="literalblock">
<div class="content">
<pre><code>No:
    if ( test ) foo();</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>Yes:
    if ( test )
        foo();</code></pre>
</div></div>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_headers">Headers</h3>
<div class="ulist"><ul>
<li>
<p>
Don&#8217;t hesitate to create a new header if it is needed.  Don&#8217;t lump
  unrelated stuff into an header because it is convenient.
</p>
</li>
<li>
<p>
Write header guards like this (leading underscores are reserved for
  system stuff).  In my_header.h:
</p>
<div class="literalblock">
<div class="content">
<pre><code>#ifndef MY_HEADER_H
#define MY_HEADER_H
// ...
#endif</code></pre>
</div></div>
</li>
<li>
<p>
Includes from a different directory should specify parent directory.
  This makes it clear exactly what is included and avoids the primordial
  soup that results from using -I this -I that -I the_other_thing &#8230; .
</p>
<div class="literalblock">
<div class="content">
<pre><code>// given:
src/foo/foo.cc
src/bar/bar.cc
src/bar/baz.cc</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>// in baz.cc
#include "bar.h"</code></pre>
</div></div>
<div class="literalblock">
<div class="content">
<pre><code>// in foo.cc
#include "bar/bar.h"</code></pre>
</div></div>
</li>
<li>
<p>
Includes within installed headers should specify parent directory.
</p>
</li>
<li>
<p>
Just because it is a #define doesn&#8217;t mean it goes in a header.
  Everything should be scoped as tightly as possible.  Shared
  implementation declarations should go in a separate header from the
  interface.  And so on.
</p>
</li>
<li>
<p>
All .cc files should include config.h with the standard block shown below
  immediately following the initial comment blocks and before anything else.
  This presents a consistent view of all included header files as well as
  access to any other configure-time definitions. No .h files should include
  config.h unless they are guaranteed to be local header files (never
  installed).
</p>
<div class="literalblock">
<div class="content">
<pre><code>#ifdef HAVE_CONFIG_H
#include "config.h"
#endif</code></pre>
</div></div>
</li>
<li>
<p>
A .cc should include its own .h before any others aside from the
  aforementioned config.h (including system headers).  This ensures that the
  header stands on its own and can be used by clients without include
  prerequisites and the developer will be the first to find a dependency issue.
</p>
</li>
<li>
<p>
Split headers included from the local directory into a final block of
  headers.  For a .cc file, the final order of sets of header includes should
  look like this:
</p>
<div class="olist arabic"><ol class="arabic">
<li>
<p>
config.h
</p>
</li>
<li>
<p>
its own .h file
</p>
</li>
<li>
<p>
system headers (.h/.hpp/.hxx)
</p>
</li>
<li>
<p>
C++ standard library headers (no file extension)
</p>
</li>
<li>
<p>
Snort headers external to the local directory (path-prefixed)
</p>
</li>
<li>
<p>
Snort headers in the local directory
</p>
</li>
</ol></div>
</li>
<li>
<p>
Include required headers, all required headers, and nothing but required
  headers.  Don&#8217;t just clone a bunch of headers because it is convenient.
</p>
</li>
<li>
<p>
Keep includes in alphabetical order.  This makes it easier to maintain, avoid
  duplicates, etc.
</p>
</li>
<li>
<p>
Do not put using statements in headers unless they are tightly scoped.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_warnings">Warnings</h3>
<div class="ulist"><ul>
<li>
<p>
With g++, use at least these compiler flags:
</p>
<div class="literalblock">
<div class="content">
<pre><code>-Wall -Wextra -pedantic -Wformat -Wformat-security
-Wunused-but-set-variable -Wno-deprecated-declarations
-fsanitize=address -fno-omit-frame-pointer</code></pre>
</div></div>
</li>
<li>
<p>
With clang, use at least these compiler flags:
</p>
<div class="literalblock">
<div class="content">
<pre><code>-Wall -Wextra -pedantic -Wformat -Wformat-security
-Wno-deprecated-declarations
-fsanitize=address -fno-omit-frame-pointer</code></pre>
</div></div>
</li>
<li>
<p>
Two macros (PADDING_GUARD_BEGIN and PADDING_GUARD_END) are provided by
  utils/cpp_macros.h.  These should be used to surround any structure used as
  a hash key with a raw comparator or that would otherwise suffer from
  unintentional padding.  A compiler warning will be generated if any structure
  definition is automatically padded between the macro invocations.
</p>
</li>
<li>
<p>
Then Fix All Warnings and Aborts.  None Allowed.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_uncrustify">Uncrustify</h3>
<div class="paragraph"><p>Currently using uncrustify from at <a href="https://github.com/bengardner/uncrustify">https://github.com/bengardner/uncrustify</a>
to reformat legacy code and anything that happens to need a makeover at
some point.</p></div>
<div class="paragraph"><p>The working config is crusty.cfg in the top level directory.  It does well
but will munge some things.  Specially formatted INDENT-OFF comments were
added in 2 places to avoid a real mess.</p></div>
<div class="paragraph"><p>You can use uncrustify something like this:</p></div>
<div class="literalblock">
<div class="content">
<pre><code>uncrustify -c crusty.cfg --replace file.cc</code></pre>
</div></div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_reference_2">Reference</h2>
<div class="sectionbody">
<div class="sect2">
<h3 id="_build_options_2">Build Options</h3>
<div class="paragraph"><p>The options listed below must be explicitly enabled so they are built
into the Snort binary.  For a full list of build options, run ./configure
--help.</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>--enable-shell</strong>: enable building local and remote command line shell
   support.
</p>
</li>
<li>
<p>
<strong>--enable-tsc-clock</strong>: use the TSC register on x86 systems for improved
  performance of latency and profiler features.
</p>
</li>
</ul></div>
<div class="paragraph"><p>These options are built only if the required libraries and headers are
present.  There is no need to explicitly enable.</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>flatbuffers</strong>: for an alternative perf_monitor logging format.
</p>
</li>
<li>
<p>
<strong>hyperscan</strong> &gt;= 4.4.0: for the regex and sd_pattern rule options and the hyperscan
  search engine.
</p>
</li>
<li>
<p>
<strong>iconv</strong>: for converting UTF16-LE filenames to UTF8 (usually included in glibc)
</p>
</li>
<li>
<p>
<strong>lzma</strong>: for decompression of SWF and PDF files.
</p>
</li>
<li>
<p>
<strong>safec</strong>: for additional runtime error checking of some memory copy operations.
</p>
</li>
</ul></div>
<div class="paragraph"><p>If you need to use headers and/or libraries in non-standard locations, you
can use these options:</p></div>
<div class="ulist"><ul>
<li>
<p>
<strong>--with-pkg-includes</strong>: specify the directory containing the package
  headers.
</p>
</li>
<li>
<p>
<strong>--with-pkg-libraries</strong>: specify the directory containing the package
  libraries.
</p>
</li>
</ul></div>
<div class="paragraph"><p>These can be used for pcap, luajit, pcre, dnet, daq, lzma, openssl,
flatbuffers, iconv, and hyperscan packages.  For more information on
these libraries see the Getting Started section of the manual.</p></div>
</div>
<div class="sect2">
<h3 id="_environment_variables">Environment Variables</h3>
<div class="ulist"><ul>
<li>
<p>
<strong>HOSTTYPE</strong>: optional string that is output with the version at end of
  line.
</p>
</li>
<li>
<p>
<strong>SNORT_IGNORE</strong>: the list of symbols Snort should ignore when parsing the
  Lua conf.  Unknown symbols not in SNORT_IGNORE will cause warnings with
  --warn-unknown or fatals with --warn-unknown --pedantic.
</p>
</li>
<li>
<p>
<strong>SNORT_PROMPT</strong>: the character sequence that is printed at startup,
  shutdown, and in the shell.  The default is the mini-pig: o")~ .
</p>
</li>
<li>
<p>
<strong>SNORT_PLUGIN_PATH</strong>: an optional path where Snort can find supplemental
  shared libraries.  This is only used when Snort is building manuals.
  Modules in supplemental shared libraries will be added to the manuals.
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_command_line_options">Command Line Options</h3>
<div class="ulist"><ul>
<li>
<p>
<strong>-?</strong> &lt;option prefix&gt; output matching command line option quick help (same as --help-options) (optional)
</p>
</li>
<li>
<p>
<strong>-A</strong> &lt;mode&gt; set alert mode: none, cmg, or alert_*
</p>
</li>
<li>
<p>
<strong>-B</strong> &lt;mask&gt; obfuscated IP addresses in alerts and packet dumps using CIDR mask
</p>
</li>
<li>
<p>
<strong>-C</strong> print out payloads with character data only (no hex)
</p>
</li>
<li>
<p>
<strong>-c</strong> &lt;conf&gt; use this configuration
</p>
</li>
<li>
<p>
<strong>-D</strong> run Snort in background (daemon) mode
</p>
</li>
<li>
<p>
<strong>-d</strong> dump the Application Layer
</p>
</li>
<li>
<p>
<strong>-e</strong> display the second layer header info
</p>
</li>
<li>
<p>
<strong>-f</strong> turn off fflush() calls after binary log writes
</p>
</li>
<li>
<p>
<strong>-G</strong> &lt;0xid&gt; (same as --logid) (0:65535)
</p>
</li>
<li>
<p>
<strong>-g</strong> &lt;gname&gt; run snort gid as &lt;gname&gt; group (or gid) after initialization
</p>
</li>
<li>
<p>
<strong>-H</strong> make hash tables deterministic
</p>
</li>
<li>
<p>
<strong>-i</strong> &lt;iface&gt;&#8230; list of interfaces
</p>
</li>
<li>
<p>
<strong>-j</strong> &lt;port&gt; to listen for Telnet connections
</p>
</li>
<li>
<p>
<strong>-k</strong> &lt;mode&gt; checksum mode; default is all (all|noip|notcp|noudp|noicmp|none)
</p>
</li>
<li>
<p>
<strong>-L</strong> &lt;mode&gt; logging mode (none, dump, pcap, or log_*)
</p>
</li>
<li>
<p>
<strong>-l</strong> &lt;logdir&gt; log to this directory instead of current directory
</p>
</li>
<li>
<p>
<strong>-M</strong> log messages to syslog (not alerts)
</p>
</li>
<li>
<p>
<strong>-m</strong> &lt;umask&gt; set the process file mode creation mask (0x000:0x1FF)
</p>
</li>
<li>
<p>
<strong>-n</strong> &lt;count&gt; stop after count packets (0:max53)
</p>
</li>
<li>
<p>
<strong>-O</strong> obfuscate the logged IP addresses
</p>
</li>
<li>
<p>
<strong>-Q</strong> enable inline mode operation
</p>
</li>
<li>
<p>
<strong>-q</strong> quiet mode - Don&#8217;t show banner and status report
</p>
</li>
<li>
<p>
<strong>-R</strong> &lt;rules&gt; include this rules file in the default policy
</p>
</li>
<li>
<p>
<strong>-r</strong> &lt;pcap&gt;&#8230; (same as --pcap-list)
</p>
</li>
<li>
<p>
<strong>-S</strong> &lt;x=v&gt; set config variable x equal to value v
</p>
</li>
<li>
<p>
<strong>-s</strong> &lt;snap&gt; (same as --snaplen); default is 1518 (68:65535)
</p>
</li>
<li>
<p>
<strong>-T</strong> test and report on the current Snort configuration
</p>
</li>
<li>
<p>
<strong>-t</strong> &lt;dir&gt; chroots process to &lt;dir&gt; after initialization
</p>
</li>
<li>
<p>
<strong>-U</strong> use UTC for timestamps
</p>
</li>
<li>
<p>
<strong>-u</strong> &lt;uname&gt; run snort as &lt;uname&gt; or &lt;uid&gt; after initialization
</p>
</li>
<li>
<p>
<strong>-V</strong> (same as --version)
</p>
</li>
<li>
<p>
<strong>-v</strong> be verbose
</p>
</li>
<li>
<p>
<strong>-X</strong> dump the raw packet data starting at the link layer
</p>
</li>
<li>
<p>
<strong>-x</strong> same as --pedantic
</p>
</li>
<li>
<p>
<strong>-y</strong> include year in timestamp in the alert and log files
</p>
</li>
<li>
<p>
<strong>-z</strong> &lt;count&gt; maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 (0:max32)
</p>
</li>
<li>
<p>
<strong>--alert-before-pass</strong> evaluate alert rules before pass rules; default is pass rules first
</p>
</li>
<li>
<p>
<strong>--bpf</strong> &lt;filter options&gt; are standard BPF options, as seen in TCPDump
</p>
</li>
<li>
<p>
<strong>--c2x</strong> output hex for given char (see also --x2c)
</p>
</li>
<li>
<p>
<strong>--control-socket</strong> &lt;file&gt; to create unix socket
</p>
</li>
<li>
<p>
<strong>--create-pidfile</strong> create PID file, even when not in Daemon mode
</p>
</li>
<li>
<p>
<strong>--daq</strong> &lt;type&gt; select packet acquisition module (default is pcap)
</p>
</li>
<li>
<p>
<strong>--daq-batch-size</strong> &lt;size&gt; set the DAQ receive batch size (1:)
</p>
</li>
<li>
<p>
<strong>--daq-dir</strong> &lt;dir&gt; tell snort where to find desired DAQ
</p>
</li>
<li>
<p>
<strong>--daq-list</strong> list packet acquisition modules available in optional dir, default is static modules only
</p>
</li>
<li>
<p>
<strong>--daq-mode</strong> &lt;mode&gt; select DAQ module operating mode (overrides automatic selection) (passive | inline | read-file)
</p>
</li>
<li>
<p>
<strong>--daq-var</strong> &lt;name=value&gt; specify extra DAQ configuration variable
</p>
</li>
<li>
<p>
<strong>--dirty-pig</strong> don&#8217;t flush packets on shutdown
</p>
</li>
<li>
<p>
<strong>--dump-builtin-rules</strong> [&lt;module prefix&gt;] output stub rules for selected modules (optional)
</p>
</li>
<li>
<p>
<strong>--dump-dynamic-rules</strong> output stub rules for all loaded rules libraries
</p>
</li>
<li>
<p>
<strong>--dump-defaults</strong> [&lt;module prefix&gt;] output module defaults in Lua format (optional)
</p>
</li>
<li>
<p>
<strong>--dump-version</strong> output the version, the whole version, and only the version
</p>
</li>
<li>
<p>
<strong>--enable-inline-test</strong> enable Inline-Test Mode Operation
</p>
</li>
<li>
<p>
<strong>--gen-msg-map</strong> dump builtin rules in gen-msg.map format for use by other tools
</p>
</li>
<li>
<p>
<strong>--help</strong> list command line options
</p>
</li>
<li>
<p>
<strong>--help-commands</strong> [&lt;module prefix&gt;] output matching commands (optional)
</p>
</li>
<li>
<p>
<strong>--help-config</strong> [&lt;module prefix&gt;] output matching config options (optional)
</p>
</li>
<li>
<p>
<strong>--help-counts</strong> [&lt;module prefix&gt;] output matching peg counts (optional)
</p>
</li>
<li>
<p>
<strong>--help-limits</strong> print the int upper bounds denoted by max*
</p>
</li>
<li>
<p>
<strong>--help-module</strong> &lt;module&gt; output description of given module
</p>
</li>
<li>
<p>
<strong>--help-modules</strong> list all available modules with brief help
</p>
</li>
<li>
<p>
<strong>--help-options</strong> [&lt;option prefix&gt;] output matching command line option quick help (same as -?) (optional)
</p>
</li>
<li>
<p>
<strong>--help-plugins</strong> list all available plugins with brief help
</p>
</li>
<li>
<p>
<strong>--help-signals</strong> dump available control signals
</p>
</li>
<li>
<p>
<strong>--id-offset</strong> offset to add to instance IDs when logging to files (0:65535)
</p>
</li>
<li>
<p>
<strong>--id-subdir</strong> create/use instance subdirectories in logdir instead of instance filename prefix
</p>
</li>
<li>
<p>
<strong>--id-zero</strong> use id prefix / subdirectory even with one packet thread
</p>
</li>
<li>
<p>
<strong>--include-path</strong> &lt;path&gt; where to find Lua and rule included files; searched before current or config directories
</p>
</li>
<li>
<p>
<strong>--list-buffers</strong> output available inspection buffers
</p>
</li>
<li>
<p>
<strong>--list-builtin</strong> [&lt;module prefix&gt;] output matching builtin rules (optional)
</p>
</li>
<li>
<p>
<strong>--list-gids</strong> [&lt;module prefix&gt;] output matching generators (optional)
</p>
</li>
<li>
<p>
<strong>--list-modules</strong> [&lt;module type&gt;] list all known modules of given type (optional)
</p>
</li>
<li>
<p>
<strong>--list-plugins</strong> list all known plugins
</p>
</li>
<li>
<p>
<strong>--lua</strong> &lt;chunk&gt; extend/override conf with chunk; may be repeated
</p>
</li>
<li>
<p>
<strong>--logid</strong> &lt;0xid&gt; log Identifier to uniquely id events for multiple snorts (same as -G) (0:65535)
</p>
</li>
<li>
<p>
<strong>--markup</strong> output help in asciidoc compatible format
</p>
</li>
<li>
<p>
<strong>--max-packet-threads</strong> &lt;count&gt; configure maximum number of packet threads (same as -z) (0:max32)
</p>
</li>
<li>
<p>
<strong>--mem-check</strong> like -T but also compile search engines
</p>
</li>
<li>
<p>
<strong>--nostamps</strong> don&#8217;t include timestamps in log file names
</p>
</li>
<li>
<p>
<strong>--nolock-pidfile</strong> do not try to lock Snort PID file
</p>
</li>
<li>
<p>
<strong>--pause</strong> wait for resume/quit command before processing packets/terminating
</p>
</li>
<li>
<p>
<strong>--pcap-file</strong> &lt;file&gt; file that contains a list of pcaps to read - read mode is implied
</p>
</li>
<li>
<p>
<strong>--pcap-list</strong> &lt;list&gt; a space separated list of pcaps to read - read mode is implied
</p>
</li>
<li>
<p>
<strong>--pcap-dir</strong> &lt;dir&gt; a directory to recurse to look for pcaps - read mode is implied
</p>
</li>
<li>
<p>
<strong>--pcap-filter</strong> &lt;filter&gt; filter to apply when getting pcaps from file or directory
</p>
</li>
<li>
<p>
<strong>--pcap-loop</strong> &lt;count&gt; read all pcaps &lt;count&gt; times;  0 will read until Snort is terminated (0:max32)
</p>
</li>
<li>
<p>
<strong>--pcap-no-filter</strong> reset to use no filter when getting pcaps from file or directory
</p>
</li>
<li>
<p>
<strong>--pcap-reload</strong> if reading multiple pcaps, reload snort config between pcaps
</p>
</li>
<li>
<p>
<strong>--pcap-show</strong> print a line saying what pcap is currently being read
</p>
</li>
<li>
<p>
<strong>--pedantic</strong> warnings are fatal
</p>
</li>
<li>
<p>
<strong>--plugin-path</strong> &lt;path&gt; where to find plugins
</p>
</li>
<li>
<p>
<strong>--process-all-events</strong> process all action groups
</p>
</li>
<li>
<p>
<strong>--rule</strong> &lt;rules&gt; to be added to configuration; may be repeated
</p>
</li>
<li>
<p>
<strong>--rule-path</strong> &lt;path&gt; where to find rules files
</p>
</li>
<li>
<p>
<strong>--rule-to-hex</strong> output so rule header to stdout for text rule on stdin
</p>
</li>
<li>
<p>
<strong>--rule-to-text</strong> output plain so rule header to stdout for text rule on stdin (specify delimiter or [Snort_SO_Rule] will be used) (16)
</p>
</li>
<li>
<p>
<strong>--run-prefix</strong> &lt;pfx&gt; prepend this to each output file
</p>
</li>
<li>
<p>
<strong>--script-path</strong> &lt;path&gt; to a luajit script or directory containing luajit scripts
</p>
</li>
<li>
<p>
<strong>--shell</strong> enable the interactive command line
</p>
</li>
<li>
<p>
<strong>--show-file-codes</strong> indicate how files are located: A=absolute and W, F, C which are relative to the working directory, including file, and config file respectively
</p>
</li>
<li>
<p>
<strong>--show-plugins</strong> list module and plugin versions
</p>
</li>
<li>
<p>
<strong>--skip</strong> &lt;n&gt; skip 1st n packets (0:max53)
</p>
</li>
<li>
<p>
<strong>--snaplen</strong> &lt;snap&gt; set snaplen of packet (same as -s) (68:65535)
</p>
</li>
<li>
<p>
<strong>--stdin-rules</strong> read rules from stdin until EOF or a line starting with END is read
</p>
</li>
<li>
<p>
<strong>--talos</strong> enable Talos tweak (same as --tweaks talos)
</p>
</li>
<li>
<p>
<strong>--treat-drop-as-alert</strong> converts drop, block, and reset rules into alert rules when loaded
</p>
</li>
<li>
<p>
<strong>--treat-drop-as-ignore</strong> use drop, block, and reset rules to ignore session traffic when not inline
</p>
</li>
<li>
<p>
<strong>--tweaks</strong> tune configuration
</p>
</li>
<li>
<p>
<strong>--version</strong> show version number (same as -V)
</p>
</li>
<li>
<p>
<strong>--warn-all</strong> enable all warnings
</p>
</li>
<li>
<p>
<strong>--warn-conf</strong> warn about configuration issues
</p>
</li>
<li>
<p>
<strong>--warn-daq</strong> warn about DAQ issues, usually related to mode
</p>
</li>
<li>
<p>
<strong>--warn-flowbits</strong> warn about flowbits that are checked but not set and vice-versa
</p>
</li>
<li>
<p>
<strong>--warn-hosts</strong> warn about host table issues
</p>
</li>
<li>
<p>
<strong>--warn-plugins</strong> warn about issues that prevent plugins from loading
</p>
</li>
<li>
<p>
<strong>--warn-rules</strong> warn about duplicate rules and rule parsing issues
</p>
</li>
<li>
<p>
<strong>--warn-scripts</strong> warn about issues discovered while processing Lua scripts
</p>
</li>
<li>
<p>
<strong>--warn-symbols</strong> warn about unknown symbols in your Lua config
</p>
</li>
<li>
<p>
<strong>--warn-vars</strong> warn about variable definition and usage issues
</p>
</li>
<li>
<p>
<strong>--x2c</strong> output ASCII char for given hex (see also --c2x) (0x00:0xFF)
</p>
</li>
<li>
<p>
<strong>--x2s</strong> output ASCII string for given byte code (see also --x2c)
</p>
</li>
<li>
<p>
<strong>--trace</strong> turn on main loop debug trace
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_configuration_8">Configuration</h3>
<div class="ulist"><ul>
<li>
<p>
interval <strong>ack.~range</strong>: check if TCP ack value is <em>value | min&lt;&gt;max | &lt;max | &gt;min</em> { 0: }
</p>
</li>
<li>
<p>
int <strong>active.attempts</strong> = 0: number of TCP packets sent per response (with varying sequence numbers) { 0:255 }
</p>
</li>
<li>
<p>
string <strong>active.device</strong>: use <em>ip</em> for network layer responses or <em>eth0</em> etc for link layer
</p>
</li>
<li>
<p>
string <strong>active.dst_mac</strong>: use format <em>01:23:45:67:89:ab</em>
</p>
</li>
<li>
<p>
int <strong>active.max_responses</strong> = 0: maximum number of responses { 0:255 }
</p>
</li>
<li>
<p>
int <strong>active.min_interval</strong> = 255: minimum number of seconds between responses { 1:255 }
</p>
</li>
<li>
<p>
multi <strong>alert_csv.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }
</p>
</li>
<li>
<p>
bool <strong>alert_csv.file</strong> = false: output to alert_csv.txt instead of stdout
</p>
</li>
<li>
<p>
int <strong>alert_csv.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
</p>
</li>
<li>
<p>
string <strong>alert_csv.separator</strong> = , : separate fields with this character sequence
</p>
</li>
<li>
<p>
bool <strong>alert_ex.upper</strong> = false: true/false &#8594; convert to upper/lower case
</p>
</li>
<li>
<p>
bool <strong>alert_fast.file</strong> = false: output to alert_fast.txt instead of stdout
</p>
</li>
<li>
<p>
int <strong>alert_fast.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
</p>
</li>
<li>
<p>
bool <strong>alert_fast.packet</strong> = false: output packet dump with alert
</p>
</li>
<li>
<p>
bool <strong>alert_full.file</strong> = false: output to alert_full.txt instead of stdout
</p>
</li>
<li>
<p>
int <strong>alert_full.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
</p>
</li>
<li>
<p>
multi <strong>alert_json.fields</strong> = timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action: selected fields will be output in given order left to right { action | class | b64_data | dir | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src | eth_type | gid | icmp_code | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num | priority | proto | rev | rule | seconds | service | sid | src_addr | src_ap | src_port | target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp | tos | ttl | udp_len | vlan }
</p>
</li>
<li>
<p>
bool <strong>alert_json.file</strong> = false: output to alert_json.txt instead of stdout
</p>
</li>
<li>
<p>
int <strong>alert_json.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
</p>
</li>
<li>
<p>
string <strong>alert_json.separator</strong> = , : separate fields with this character sequence
</p>
</li>
<li>
<p>
bool <strong>alerts.alert_with_interface_name</strong> = false: include interface in alert info (fast, full, or syslog only)
</p>
</li>
<li>
<p>
int <strong>alerts.detection_filter_memcap</strong> = 1048576: set available MB of memory for detection_filters { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>alerts.event_filter_memcap</strong> = 1048576: set available MB of memory for event_filters { 0:max32 }
</p>
</li>
<li>
<p>
string <strong>alert_sfsocket.file</strong>: name of unix socket file
</p>
</li>
<li>
<p>
int <strong><code>alert_sfsocket.rules[].gid</code></strong> = 1: rule generator ID { 1:max32 }
</p>
</li>
<li>
<p>
int <strong><code>alert_sfsocket.rules[].sid</code></strong> = 1: rule signature ID { 1:max32 }
</p>
</li>
<li>
<p>
bool <strong>alerts.log_references</strong> = false: include rule references in alert info (full only)
</p>
</li>
<li>
<p>
string <strong>alerts.order</strong> = pass reset block drop alert log: change the order of rule action application
</p>
</li>
<li>
<p>
int <strong>alerts.rate_filter_memcap</strong> = 1048576: set available MB of memory for rate_filters { 0:max32 }
</p>
</li>
<li>
<p>
string <strong>alerts.reference_net</strong>: set the CIDR for homenet (for use with -l or -B, does NOT change $HOME_NET in IDS mode)
</p>
</li>
<li>
<p>
bool <strong>alerts.stateful</strong> = false: don&#8217;t alert w/o established session (note: rule action still taken)
</p>
</li>
<li>
<p>
string <strong>alerts.tunnel_verdicts</strong>: let DAQ handle non-allow verdicts for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls traffic
</p>
</li>
<li>
<p>
enum <strong>alert_syslog.facility</strong> = auth: part of priority applied to each message { auth | authpriv | daemon | user | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 }
</p>
</li>
<li>
<p>
enum <strong>alert_syslog.level</strong> = info: part of priority applied to each message { emerg | alert | crit | err | warning | notice | info | debug }
</p>
</li>
<li>
<p>
multi <strong>alert_syslog.options</strong>: used to open the syslog connection { cons | ndelay | perror | pid }
</p>
</li>
<li>
<p>
string <strong>appid.app_detector_dir</strong>: directory to load appid detectors from
</p>
</li>
<li>
<p>
int <strong>appid.app_stats_period</strong> = 300: time period for collecting and logging appid statistics { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>appid.app_stats_rollover_size</strong> = 20971520: max file size for appid stats before rolling over the log file { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>appid.app_stats_rollover_time</strong> = 86400: max time period for collection appid stats before rolling over the log file { 0:max31 }
</p>
</li>
<li>
<p>
bool <strong>appid.debug</strong> = false: enable appid debug logging
</p>
</li>
<li>
<p>
bool <strong>appid.dump_ports</strong> = false: enable dump of appid port information
</p>
</li>
<li>
<p>
int <strong>appid.instance_id</strong> = 0: instance id - ignored { 0:max32 }
</p>
</li>
<li>
<p>
bool <strong>appid.log_all_sessions</strong> = false: enable logging of all appid sessions
</p>
</li>
<li>
<p>
bool <strong>appid.log_stats</strong> = false: enable logging of appid statistics
</p>
</li>
<li>
<p>
int <strong>appid.memcap</strong> = 1048576: max size of the service cache before we start pruning the cache { 1024:maxSZ }
</p>
</li>
<li>
<p>
string <strong>appids.~</strong>: comma separated list of application names
</p>
</li>
<li>
<p>
bool <strong>appid.tp_appid_config_dump</strong>: print third party configuration on startup
</p>
</li>
<li>
<p>
string <strong>appid.tp_appid_config</strong>: path to third party appid configuration file
</p>
</li>
<li>
<p>
string <strong>appid.tp_appid_path</strong>: path to third party appid dynamic library
</p>
</li>
<li>
<p>
bool <strong>appid.tp_appid_stats_enable</strong>: enable collection of stats and print stats on exit in third party module
</p>
</li>
<li>
<p>
int <strong>appid.trace</strong>: mask for enabling debug traces in module { 0:max53 }
</p>
</li>
<li>
<p>
ip4 <strong><code>arp_spoof.hosts[].ip</code></strong>: host ip address
</p>
</li>
<li>
<p>
mac <strong><code>arp_spoof.hosts[].mac</code></strong>: host mac address
</p>
</li>
<li>
<p>
int <strong>asn1.absolute_offset</strong>: absolute offset from the beginning of the packet { 0:65535 }
</p>
</li>
<li>
<p>
implied <strong>asn1.bitstring_overflow</strong>: detects invalid bitstring encodings that are known to be remotely exploitable
</p>
</li>
<li>
<p>
implied <strong>asn1.double_overflow</strong>: detects a double ASCII encoding that is larger than a standard buffer
</p>
</li>
<li>
<p>
int <strong>asn1.oversize_length</strong>: compares ASN.1 type lengths with the supplied argument { 0:max32 }
</p>
</li>
<li>
<p>
implied <strong>asn1.print</strong>: dump decode data to console; always true
</p>
</li>
<li>
<p>
int <strong>asn1.relative_offset</strong>: relative offset from the cursor { -65535:65535 }
</p>
</li>
<li>
<p>
int <strong>attribute_table.max_hosts</strong> = 1024: maximum number of hosts in attribute table { 32:max53 }
</p>
</li>
<li>
<p>
int <strong>attribute_table.max_metadata_services</strong> = 8: maximum number of services in rule { 1:255 }
</p>
</li>
<li>
<p>
int <strong>attribute_table.max_services_per_host</strong> = 8: maximum number of services per host entry in attribute table { 1:65535 }
</p>
</li>
<li>
<p>
int <strong>base64_decode.bytes</strong>: number of base64 encoded bytes to decode { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>base64_decode.offset</strong> = 0: bytes past start of buffer to start decoding { 0:max32 }
</p>
</li>
<li>
<p>
implied <strong>base64_decode.relative</strong>: apply offset to cursor instead of start of buffer
</p>
</li>
<li>
<p>
int <strong>ber_data.~type</strong>: move to the data for the specified BER element type { 0:255 }
</p>
</li>
<li>
<p>
implied <strong>ber_skip.optional</strong>: match even if the specified BER type is not found
</p>
</li>
<li>
<p>
int <strong>ber_skip.~type</strong>: BER element type to skip { 0:255 }
</p>
</li>
<li>
<p>
enum <strong><code>binder[].use.action</code></strong> = inspect: what to do with matching traffic { reset | block | allow | inspect }
</p>
</li>
<li>
<p>
string <strong><code>binder[].use.file</code></strong>: use configuration in given file
</p>
</li>
<li>
<p>
string <strong><code>binder[].use.inspection_policy</code></strong>: use inspection policy from given file
</p>
</li>
<li>
<p>
string <strong><code>binder[].use.ips_policy</code></strong>: use ips policy from given file
</p>
</li>
<li>
<p>
string <strong><code>binder[].use.name</code></strong>: symbol name (defaults to type)
</p>
</li>
<li>
<p>
string <strong><code>binder[].use.network_policy</code></strong>: use network policy from given file
</p>
</li>
<li>
<p>
string <strong><code>binder[].use.service</code></strong>: override automatic service identification
</p>
</li>
<li>
<p>
string <strong><code>binder[].use.type</code></strong>: select module for binding
</p>
</li>
<li>
<p>
addr_list <strong><code>binder[].when.dst_nets</code></strong>: list of destination networks
</p>
</li>
<li>
<p>
bit_list <strong><code>binder[].when.dst_ports</code></strong>: list of destination ports { 65535 }
</p>
</li>
<li>
<p>
bit_list <strong><code>binder[].when.dst_zone</code></strong>: destination zone { 63 }
</p>
</li>
<li>
<p>
bit_list <strong><code>binder[].when.ifaces</code></strong>: list of interface indices { 255 }
</p>
</li>
<li>
<p>
int <strong><code>binder[].when.ips_policy_id</code></strong> = 0: unique ID for selection of this config by external logic { 0:max32 }
</p>
</li>
<li>
<p>
addr_list <strong><code>binder[].when.nets</code></strong>: list of networks
</p>
</li>
<li>
<p>
bit_list <strong><code>binder[].when.ports</code></strong>: list of ports { 65535 }
</p>
</li>
<li>
<p>
enum <strong><code>binder[].when.proto</code></strong>: protocol { any | ip | icmp | tcp | udp | user | file }
</p>
</li>
<li>
<p>
enum <strong><code>binder[].when.role</code></strong> = any: use the given configuration on one or any end of a session { client | server | any }
</p>
</li>
<li>
<p>
string <strong><code>binder[].when.service</code></strong>: override default configuration
</p>
</li>
<li>
<p>
addr_list <strong><code>binder[].when.src_nets</code></strong>: list of source networks
</p>
</li>
<li>
<p>
bit_list <strong><code>binder[].when.src_ports</code></strong>: list of source ports { 65535 }
</p>
</li>
<li>
<p>
bit_list <strong><code>binder[].when.src_zone</code></strong>: source zone { 63 }
</p>
</li>
<li>
<p>
bit_list <strong><code>binder[].when.vlans</code></strong>: list of VLAN IDs { 4095 }
</p>
</li>
<li>
<p>
bit_list <strong><code>binder[].when.zones</code></strong>: zones { 63 }
</p>
</li>
<li>
<p>
interval <strong>bufferlen.~range</strong>: check that length of current buffer is in given range { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>byte_extract.align</strong> = 0: round the number of converted bytes up to the next 2- or 4-byte boundary { 0:4 }
</p>
</li>
<li>
<p>
implied <strong>byte_extract.big</strong>: big endian
</p>
</li>
<li>
<p>
int <strong>byte_extract.bitmask</strong>: applies as an AND to the extracted value before storage in <em>name</em> { 0x1:0xFFFFFFFF }
</p>
</li>
<li>
<p>
int <strong>byte_extract.~count</strong>: number of bytes to pick up from the buffer { 1:10 }
</p>
</li>
<li>
<p>
implied <strong>byte_extract.dce</strong>: dcerpc2 determines endianness
</p>
</li>
<li>
<p>
implied <strong>byte_extract.dec</strong>: convert from decimal string
</p>
</li>
<li>
<p>
implied <strong>byte_extract.hex</strong>: convert from hex string
</p>
</li>
<li>
<p>
implied <strong>byte_extract.little</strong>: little endian
</p>
</li>
<li>
<p>
int <strong>byte_extract.multiplier</strong> = 1: scale extracted value by given amount { 1:65535 }
</p>
</li>
<li>
<p>
string <strong>byte_extract.~name</strong>: name of the variable that will be used in other rule options
</p>
</li>
<li>
<p>
implied <strong>byte_extract.oct</strong>: convert from octal string
</p>
</li>
<li>
<p>
int <strong>byte_extract.~offset</strong>: number of bytes into the buffer to start processing { -65535:65535 }
</p>
</li>
<li>
<p>
implied <strong>byte_extract.relative</strong>: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
implied <strong>byte_extract.string</strong>: convert from string
</p>
</li>
<li>
<p>
int <strong>byte_jump.align</strong> = 0: round the number of converted bytes up to the next 2- or 4-byte boundary { 0:4 }
</p>
</li>
<li>
<p>
implied <strong>byte_jump.big</strong>: big endian
</p>
</li>
<li>
<p>
int <strong>byte_jump.bitmask</strong>: applies as an AND prior to evaluation { 0x1:0xFFFFFFFF }
</p>
</li>
<li>
<p>
int <strong>byte_jump.~count</strong>: number of bytes to pick up from the buffer { 0:10 }
</p>
</li>
<li>
<p>
implied <strong>byte_jump.dce</strong>: dcerpc2 determines endianness
</p>
</li>
<li>
<p>
implied <strong>byte_jump.dec</strong>: convert from decimal string
</p>
</li>
<li>
<p>
implied <strong>byte_jump.from_beginning</strong>: jump from start of buffer instead of cursor
</p>
</li>
<li>
<p>
implied <strong>byte_jump.from_end</strong>: jump backward from end of buffer
</p>
</li>
<li>
<p>
implied <strong>byte_jump.hex</strong>: convert from hex string
</p>
</li>
<li>
<p>
implied <strong>byte_jump.little</strong>: little endian
</p>
</li>
<li>
<p>
int <strong>byte_jump.multiplier</strong> = 1: scale extracted value by given amount { 1:65535 }
</p>
</li>
<li>
<p>
implied <strong>byte_jump.oct</strong>: convert from octal string
</p>
</li>
<li>
<p>
string <strong>byte_jump.~offset</strong>: variable name or number of bytes into the buffer to start processing
</p>
</li>
<li>
<p>
string <strong>byte_jump.post_offset</strong>: skip forward or backward (positive or negative value) by variable name or number of bytes after the other jump options have been applied
</p>
</li>
<li>
<p>
implied <strong>byte_jump.relative</strong>: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
implied <strong>byte_jump.string</strong>: convert from string
</p>
</li>
<li>
<p>
int <strong>byte_math.bitmask</strong>: applies as bitwise AND to the extracted value before storage in <em>name</em> { 0x1:0xFFFFFFFF }
</p>
</li>
<li>
<p>
int <strong>byte_math.bytes</strong>: number of bytes to pick up from the buffer { 1:10 }
</p>
</li>
<li>
<p>
implied <strong>byte_math.dce</strong>: dcerpc2 determines endianness
</p>
</li>
<li>
<p>
enum <strong>byte_math.endian</strong>: specify big/little endian { big|little }
</p>
</li>
<li>
<p>
string <strong>byte_math.offset</strong>: number of bytes into the buffer to start processing
</p>
</li>
<li>
<p>
enum <strong>byte_math.oper</strong>: mathematical operation to perform { +|-|*|/|&lt;&lt;|&gt;&gt; }
</p>
</li>
<li>
<p>
implied <strong>byte_math.relative</strong>: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
string <strong>byte_math.result</strong>: name of the variable to store the result
</p>
</li>
<li>
<p>
string <strong>byte_math.rvalue</strong>: value to use mathematical operation against
</p>
</li>
<li>
<p>
enum <strong>byte_math.string</strong>: convert extracted string to dec/hex/oct { hex|dec|oct }
</p>
</li>
<li>
<p>
implied <strong>byte_test.big</strong>: big endian
</p>
</li>
<li>
<p>
int <strong>byte_test.bitmask</strong>: applies as an AND prior to evaluation { 0x1:0xFFFFFFFF }
</p>
</li>
<li>
<p>
string <strong>byte_test.~compare</strong>: variable name or value to test the converted result against
</p>
</li>
<li>
<p>
int <strong>byte_test.~count</strong>: number of bytes to pick up from the buffer { 1:10 }
</p>
</li>
<li>
<p>
implied <strong>byte_test.dce</strong>: dcerpc2 determines endianness
</p>
</li>
<li>
<p>
implied <strong>byte_test.dec</strong>: convert from decimal string
</p>
</li>
<li>
<p>
implied <strong>byte_test.hex</strong>: convert from hex string
</p>
</li>
<li>
<p>
implied <strong>byte_test.little</strong>: little endian
</p>
</li>
<li>
<p>
implied <strong>byte_test.oct</strong>: convert from octal string
</p>
</li>
<li>
<p>
string <strong>byte_test.~offset</strong>: variable name or number of bytes into the payload to start processing
</p>
</li>
<li>
<p>
string <strong>byte_test.~operator</strong>: operation to perform to test the value
</p>
</li>
<li>
<p>
implied <strong>byte_test.relative</strong>: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
implied <strong>byte_test.string</strong>: convert from string
</p>
</li>
<li>
<p>
string <strong><code>classifications[].name</code></strong>: name used with classtype rule option
</p>
</li>
<li>
<p>
int <strong><code>classifications[].priority</code></strong> = 1: default priority for class { 0:max32 }
</p>
</li>
<li>
<p>
string <strong><code>classifications[].text</code></strong>: description of class
</p>
</li>
<li>
<p>
string <strong>classtype.~</strong>: classification for this rule
</p>
</li>
<li>
<p>
string <strong>content.~data</strong>: data to match
</p>
</li>
<li>
<p>
string <strong>content.depth</strong>: var or maximum number of bytes to search from beginning of buffer
</p>
</li>
<li>
<p>
string <strong>content.distance</strong>: var or number of bytes from cursor to start search
</p>
</li>
<li>
<p>
int <strong>content.fast_pattern_length</strong>: maximum number of characters from this content the fast pattern matcher should use { 1:65535 }
</p>
</li>
<li>
<p>
int <strong>content.fast_pattern_offset</strong> = 0: number of leading characters of this content the fast pattern matcher should exclude { 0:65535 }
</p>
</li>
<li>
<p>
implied <strong>content.fast_pattern</strong>: use this content in the fast pattern matcher instead of the content selected by default
</p>
</li>
<li>
<p>
implied <strong>content.nocase</strong>: case insensitive match
</p>
</li>
<li>
<p>
string <strong>content.offset</strong>: var or number of bytes from start of buffer to start search
</p>
</li>
<li>
<p>
string <strong>content.within</strong>: var or maximum number of bytes to search from cursor
</p>
</li>
<li>
<p>
implied <strong>cvs.invalid-entry</strong>: looks for an invalid Entry string
</p>
</li>
<li>
<p>
int <strong>daq.batch_size</strong> = 64: set receive batch size (same as --daq-batch-size) { 1: }
</p>
</li>
<li>
<p>
string <strong><code>daq.inputs[].input</code></strong>: input source
</p>
</li>
<li>
<p>
string <strong><code>daq.module_dirs[].path</code></strong>: directory path
</p>
</li>
<li>
<p>
enum <strong><code>daq.modules[].mode</code></strong> = passive: DAQ module mode { passive | inline | read-file }
</p>
</li>
<li>
<p>
string <strong><code>daq.modules[].name</code></strong>: DAQ module name (required)
</p>
</li>
<li>
<p>
string <strong><code>daq.modules[].variables[].variable</code></strong>: DAQ module variable (foo[=bar])
</p>
</li>
<li>
<p>
int <strong>daq.snaplen</strong> = 1518: set snap length (same as -s) { 0:65535 }
</p>
</li>
<li>
<p>
select <strong>data_log.key</strong> = http_request_header_event : name of the event to log { http_request_header_event | http_response_header_event }
</p>
</li>
<li>
<p>
int <strong>data_log.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:max32 }
</p>
</li>
<li>
<p>
implied <strong>dce_iface.any_frag</strong>: match on any fragment
</p>
</li>
<li>
<p>
string <strong>dce_iface.uuid</strong>: match given dcerpc uuid
</p>
</li>
<li>
<p>
interval <strong>dce_iface.version</strong>: interface version { 0: }
</p>
</li>
<li>
<p>
string <strong>dce_opnum.~</strong>: match given dcerpc operation number, range or list
</p>
</li>
<li>
<p>
bool <strong>dce_smb.disable_defrag</strong> = false: disable DCE/RPC defragmentation
</p>
</li>
<li>
<p>
bool <strong>dce_smb.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow
</p>
</li>
<li>
<p>
int <strong>dce_smb.max_frag_len</strong> = 65535: maximum fragment size for defragmentation { 1514:65535 }
</p>
</li>
<li>
<p>
enum <strong>dce_smb.policy</strong> = WinXP: target based policy to use { Win2000 |  WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba | Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 }
</p>
</li>
<li>
<p>
int <strong>dce_smb.reassemble_threshold</strong> = 0: minimum bytes received before performing reassembly { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>dce_smb.smb_file_depth</strong> = 16384: SMB file depth for file data { -1:32767 }
</p>
</li>
<li>
<p>
enum <strong>dce_smb.smb_file_inspection</strong> = off: SMB file inspection { off | on | only }
</p>
</li>
<li>
<p>
enum <strong>dce_smb.smb_fingerprint_policy</strong> = none: target based SMB policy to use { none | client |  server | both  }
</p>
</li>
<li>
<p>
string <strong>dce_smb.smb_invalid_shares</strong>: SMB shares to alert on
</p>
</li>
<li>
<p>
bool <strong>dce_smb.smb_legacy_mode</strong> = false: inspect only SMBv1
</p>
</li>
<li>
<p>
int <strong>dce_smb.smb_max_chain</strong> = 3: SMB max chain size { 0:255 }
</p>
</li>
<li>
<p>
int <strong>dce_smb.smb_max_compound</strong> = 3: SMB max compound size { 0:255 }
</p>
</li>
<li>
<p>
int <strong>dce_smb.trace</strong>: mask for enabling debug traces in module { 0:max53 }
</p>
</li>
<li>
<p>
multi <strong>dce_smb.valid_smb_versions</strong> = all: valid SMB versions { v1 | v2 | all }
</p>
</li>
<li>
<p>
bool <strong>dce_tcp.disable_defrag</strong> = false: disable DCE/RPC defragmentation
</p>
</li>
<li>
<p>
bool <strong>dce_tcp.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow
</p>
</li>
<li>
<p>
int <strong>dce_tcp.max_frag_len</strong> = 65535: maximum fragment size for defragmentation { 1514:65535 }
</p>
</li>
<li>
<p>
enum <strong>dce_tcp.policy</strong> = WinXP: target based policy to use { Win2000 |  WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba | Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 }
</p>
</li>
<li>
<p>
int <strong>dce_tcp.reassemble_threshold</strong> = 0: minimum bytes received before performing reassembly { 0:65535 }
</p>
</li>
<li>
<p>
bool <strong>dce_udp.disable_defrag</strong> = false: disable DCE/RPC defragmentation
</p>
</li>
<li>
<p>
bool <strong>dce_udp.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow
</p>
</li>
<li>
<p>
int <strong>dce_udp.max_frag_len</strong> = 65535: maximum fragment size for defragmentation { 1514:65535 }
</p>
</li>
<li>
<p>
int <strong>dce_udp.trace</strong>: mask for enabling debug traces in module { 0:max53 }
</p>
</li>
<li>
<p>
int <strong>decode.trace</strong>: mask for enabling debug traces in module { 0:max53 }
</p>
</li>
<li>
<p>
int <strong>detection.asn1</strong> = 0: maximum decode nodes { 0:65535 }
</p>
</li>
<li>
<p>
bool <strong>detection.enable_address_anomaly_checks</strong> = false: enable check and alerting of address anomalies
</p>
</li>
<li>
<p>
int <strong>detection_filter.count</strong>: hits in interval before allowing the rule to fire { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>detection_filter.seconds</strong>: length of interval to count hits { 1:max32 }
</p>
</li>
<li>
<p>
enum <strong>detection_filter.track</strong>: track hits by source or destination IP address { by_src | by_dst }
</p>
</li>
<li>
<p>
bool <strong>detection.global_default_rule_state</strong> = true: enable or disable rules by default (overridden by ips policy settings)
</p>
</li>
<li>
<p>
bool <strong>detection.global_rule_state</strong> = false: apply rule_state against all policies
</p>
</li>
<li>
<p>
int <strong>detection.offload_limit</strong> = 99999: minimum sizeof PDU to offload fast pattern search (defaults to disabled) { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>detection.offload_threads</strong> = 0: maximum number of simultaneous offloads (defaults to disabled) { 0:max32 }
</p>
</li>
<li>
<p>
bool <strong>detection.pcre_enable</strong> = true: disable pcre pattern matching
</p>
</li>
<li>
<p>
int <strong>detection.pcre_match_limit</strong> = 1500: limit pcre backtracking, 0 = off { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>detection.pcre_match_limit_recursion</strong> = 1500: limit pcre stack consumption, 0 = off { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>detection.trace</strong>: mask for enabling debug traces in module { 0:max53 }
</p>
</li>
<li>
<p>
bool <strong>dnp3.check_crc</strong> = false: validate checksums in DNP3 link layer frames
</p>
</li>
<li>
<p>
string <strong>dnp3_func.~</strong>: match DNP3 function code or name
</p>
</li>
<li>
<p>
string <strong>dnp3_ind.~</strong>: match given DNP3 indicator flags
</p>
</li>
<li>
<p>
int <strong>dnp3_obj.group</strong> = 0: match given DNP3 object header group { 0:255 }
</p>
</li>
<li>
<p>
int <strong>dnp3_obj.var</strong> = 0: match given DNP3 object header var { 0:255 }
</p>
</li>
<li>
<p>
string <strong>domain_filter.file</strong>: file with list of domains identifying hosts to be filtered
</p>
</li>
<li>
<p>
string <strong>domain_filter.hosts</strong>: list of domains identifying hosts to be filtered
</p>
</li>
<li>
<p>
int <strong>dpx.max</strong> = 0: maximum payload before alert { 0:65535 }
</p>
</li>
<li>
<p>
port <strong>dpx.port</strong>: port to check
</p>
</li>
<li>
<p>
interval <strong>dsize.~range</strong>: check if packet payload size is in the given range { 0:65535 }
</p>
</li>
<li>
<p>
bool <strong>esp.decode_esp</strong> = false: enable for inspection of esp traffic that has authentication but not encryption
</p>
</li>
<li>
<p>
int <strong><code>event_filter[].count</code></strong> = 0: number of events in interval before tripping; -1 to disable { -1:max31 }
</p>
</li>
<li>
<p>
int <strong><code>event_filter[].gid</code></strong> = 1: rule generator ID { 0:max32 }
</p>
</li>
<li>
<p>
string <strong><code>event_filter[].ip</code></strong>: restrict filter to these addresses according to track
</p>
</li>
<li>
<p>
int <strong><code>event_filter[].seconds</code></strong> = 0: count interval { 0:max32 }
</p>
</li>
<li>
<p>
int <strong><code>event_filter[].sid</code></strong> = 1: rule signature ID { 0:max32 }
</p>
</li>
<li>
<p>
enum <strong><code>event_filter[].track</code></strong>: filter only matching source or destination addresses { by_src | by_dst }
</p>
</li>
<li>
<p>
enum <strong><code>event_filter[].type</code></strong>: 1st count events | every count events | once after count events { limit | threshold | both }
</p>
</li>
<li>
<p>
int <strong>event_queue.log</strong> = 3: maximum events to log { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>event_queue.max_queue</strong> = 8: maximum events to queue { 1:max32 }
</p>
</li>
<li>
<p>
enum <strong>event_queue.order_events</strong> = content_length: criteria for ordering incoming events { priority|content_length }
</p>
</li>
<li>
<p>
bool <strong>event_queue.process_all_events</strong> = false: process just first action group or all action groups
</p>
</li>
<li>
<p>
string <strong>file_connector.connector</strong>: connector name
</p>
</li>
<li>
<p>
enum <strong>file_connector.direction</strong>: usage { receive | transmit | duplex }
</p>
</li>
<li>
<p>
enum <strong>file_connector.format</strong>: file format { binary | text }
</p>
</li>
<li>
<p>
string <strong>file_connector.name</strong>: channel name
</p>
</li>
<li>
<p>
int <strong>file_id.block_timeout</strong> = 86400: stop blocking after this many seconds { 0:max31 }
</p>
</li>
<li>
<p>
bool <strong>file_id.block_timeout_lookup</strong> = false: block if lookup times out
</p>
</li>
<li>
<p>
int <strong>file_id.capture_block_size</strong> = 32768: file capture block size in bytes { 8:max53 }
</p>
</li>
<li>
<p>
int <strong>file_id.capture_max_size</strong> = 1048576: stop file capture beyond this point { 0:max53 }
</p>
</li>
<li>
<p>
int <strong>file_id.capture_memcap</strong> = 100: memcap for file capture in megabytes { 0:max53 }
</p>
</li>
<li>
<p>
int <strong>file_id.capture_min_size</strong> = 0: stop file capture if file size less than this { 0:max53 }
</p>
</li>
<li>
<p>
bool <strong>file_id.enable_capture</strong> = false: enable file capture
</p>
</li>
<li>
<p>
bool <strong>file_id.enable_signature</strong> = true: enable signature calculation
</p>
</li>
<li>
<p>
bool <strong>file_id.enable_type</strong> = true: enable type ID
</p>
</li>
<li>
<p>
bool <strong><code>file_id.file_policy[].use.enable_file_capture</code></strong> = false: true/false &#8594; enable/disable file capture
</p>
</li>
<li>
<p>
bool <strong><code>file_id.file_policy[].use.enable_file_signature</code></strong> = false: true/false &#8594; enable/disable file signature
</p>
</li>
<li>
<p>
bool <strong><code>file_id.file_policy[].use.enable_file_type</code></strong> = false: true/false &#8594; enable/disable file type identification
</p>
</li>
<li>
<p>
enum <strong><code>file_id.file_policy[].use.verdict</code></strong> = unknown: what to do with matching traffic { unknown | log | stop | block | reset  }
</p>
</li>
<li>
<p>
int <strong><code>file_id.file_policy[].when.file_type_id</code></strong> = 0: unique ID for file type in file magic rule { 0:max32 }
</p>
</li>
<li>
<p>
string <strong><code>file_id.file_policy[].when.sha256</code></strong>: SHA 256
</p>
</li>
<li>
<p>
string <strong><code>file_id.file_rules[].category</code></strong>: file type category
</p>
</li>
<li>
<p>
string <strong><code>file_id.file_rules[].group</code></strong>: comma separated list of groups associated with file type
</p>
</li>
<li>
<p>
int <strong><code>file_id.file_rules[].id</code></strong> = 0: file type id { 0:max32 }
</p>
</li>
<li>
<p>
string <strong><code>file_id.file_rules[].magic[].content</code></strong>: file magic content
</p>
</li>
<li>
<p>
int <strong><code>file_id.file_rules[].magic[].offset</code></strong> = 0: file magic offset { 0:max32 }
</p>
</li>
<li>
<p>
string <strong><code>file_id.file_rules[].msg</code></strong>: information about the file type
</p>
</li>
<li>
<p>
int <strong><code>file_id.file_rules[].rev</code></strong> = 0: rule revision { 0:max32 }
</p>
</li>
<li>
<p>
string <strong><code>file_id.file_rules[].type</code></strong>: file type name
</p>
</li>
<li>
<p>
string <strong><code>file_id.file_rules[].version</code></strong>: file type version
</p>
</li>
<li>
<p>
int <strong>file_id.lookup_timeout</strong> = 2: give up on lookup after this many seconds { 0:max31 }
</p>
</li>
<li>
<p>
int <strong>file_id.max_files_cached</strong> = 65536: maximal number of files cached in memory { 8:max53 }
</p>
</li>
<li>
<p>
int <strong>file_id.show_data_depth</strong> = 100: print this many octets { 0:max53 }
</p>
</li>
<li>
<p>
int <strong>file_id.signature_depth</strong> = 10485760: stop signature at this point { 0:max53 }
</p>
</li>
<li>
<p>
bool <strong>file_id.trace_signature</strong> = false: enable runtime dump of signature info
</p>
</li>
<li>
<p>
bool <strong>file_id.trace_stream</strong> = false: enable runtime dump of file data
</p>
</li>
<li>
<p>
bool <strong>file_id.trace_type</strong> = false: enable runtime dump of type info
</p>
</li>
<li>
<p>
int <strong>file_id.type_depth</strong> = 1460: stop type ID at this point { 0:max53 }
</p>
</li>
<li>
<p>
int <strong>file_id.verdict_delay</strong> = 0: number of queries to return final verdict { 0:max53 }
</p>
</li>
<li>
<p>
bool <strong>file_log.log_pkt_time</strong> = true: log the packet time when event generated
</p>
</li>
<li>
<p>
bool <strong>file_log.log_sys_time</strong> = false: log the system time when event generated
</p>
</li>
<li>
<p>
string <strong>file_type.~</strong>: list of file type IDs to match
</p>
</li>
<li>
<p>
int <strong>finalize_packet.end_pdu</strong> = 0: Deregister for finalize packet events on this PDU { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>finalize_packet.modify.pdu</strong> = 0: Modify verdict in finalize packet for this PDU { 0:max32 }
</p>
</li>
<li>
<p>
enum <strong>finalize_packet.modify.verdict</strong>: output format for stats { pass | block | replace | whitelist | blacklist | ignore | retry }
</p>
</li>
<li>
<p>
int <strong>finalize_packet.start_pdu</strong> = 0: Register to receive finalize packet event starting on this PDU { 0:max32 }
</p>
</li>
<li>
<p>
bool <strong>finalize_packet.switch_to_wizard</strong> = false: switch to wizard on first finalize event
</p>
</li>
<li>
<p>
string <strong>flags.~mask_flags</strong>: these flags are don&#8217;t cares
</p>
</li>
<li>
<p>
string <strong>flags.~test_flags</strong>: these flags are tested
</p>
</li>
<li>
<p>
string <strong>flowbits.~arg1</strong>: bits or group
</p>
</li>
<li>
<p>
string <strong>flowbits.~arg2</strong>: group if arg1 is bits
</p>
</li>
<li>
<p>
string <strong>flowbits.~command</strong>: set|reset|isset|etc.
</p>
</li>
<li>
<p>
implied <strong>flow.established</strong>: match only during data transfer phase
</p>
</li>
<li>
<p>
implied <strong>flow.from_client</strong>: same as to_server
</p>
</li>
<li>
<p>
implied <strong>flow.from_server</strong>: same as to_client
</p>
</li>
<li>
<p>
implied <strong>flow.no_frag</strong>: match on raw packets only
</p>
</li>
<li>
<p>
implied <strong>flow.no_stream</strong>: match on raw packets only
</p>
</li>
<li>
<p>
implied <strong>flow.not_established</strong>: match only outside data transfer phase
</p>
</li>
<li>
<p>
implied <strong>flow.only_frag</strong>: match on defragmented packets only
</p>
</li>
<li>
<p>
implied <strong>flow.only_stream</strong>: match on reassembled packets only
</p>
</li>
<li>
<p>
implied <strong>flow.stateless</strong>: match regardless of stream state
</p>
</li>
<li>
<p>
implied <strong>flow.to_client</strong>: match on server responses
</p>
</li>
<li>
<p>
implied <strong>flow.to_server</strong>: match on client requests
</p>
</li>
<li>
<p>
string <strong>fragbits.~flags</strong>: these flags are tested
</p>
</li>
<li>
<p>
interval <strong>fragoffset.~range</strong>: check if ip fragment offset is in given range { 0:8192 }
</p>
</li>
<li>
<p>
bool <strong>ftp_client.bounce</strong> = false: check for bounces
</p>
</li>
<li>
<p>
addr <strong><code>ftp_client.bounce_to[].address</code></strong> = 1.0.0.0/32: allowed IP address in CIDR format
</p>
</li>
<li>
<p>
port <strong><code>ftp_client.bounce_to[].last_port</code></strong>: optional allowed range from port to last_port inclusive
</p>
</li>
<li>
<p>
port <strong><code>ftp_client.bounce_to[].port</code></strong> = 20: allowed port
</p>
</li>
<li>
<p>
bool <strong>ftp_client.ignore_telnet_erase_cmds</strong> = false: ignore erase character and erase line commands when normalizing
</p>
</li>
<li>
<p>
int <strong>ftp_client.max_resp_len</strong> = 4294967295: maximum FTP response accepted by client { 0:max32 }
</p>
</li>
<li>
<p>
bool <strong>ftp_client.telnet_cmds</strong> = false: detect Telnet escape sequences on FTP control channel
</p>
</li>
<li>
<p>
bool <strong>ftp_server.check_encrypted</strong> = false: check for end of encryption
</p>
</li>
<li>
<p>
string <strong>ftp_server.chk_str_fmt</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong><code>ftp_server.cmd_validity[].command</code></strong>: command string
</p>
</li>
<li>
<p>
string <strong><code>ftp_server.cmd_validity[].format</code></strong>: format specification
</p>
</li>
<li>
<p>
int <strong><code>ftp_server.cmd_validity[].length</code></strong> = 0: specify non-default maximum for command { 0:max32 }
</p>
</li>
<li>
<p>
string <strong>ftp_server.data_chan_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong>ftp_server.data_rest_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong>ftp_server.data_xfer_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
int <strong>ftp_server.def_max_param_len</strong> = 100: default maximum length of commands handled by server; 0 is unlimited { 1:max32 }
</p>
</li>
<li>
<p>
string <strong><code>ftp_server.directory_cmds[].dir_cmd</code></strong>: directory command
</p>
</li>
<li>
<p>
int <strong><code>ftp_server.directory_cmds[].rsp_code</code></strong> = 200: expected successful response code for command { 200:max32 }
</p>
</li>
<li>
<p>
string <strong>ftp_server.encr_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
bool <strong>ftp_server.encrypted_traffic</strong> = false: check for encrypted Telnet and FTP
</p>
</li>
<li>
<p>
string <strong>ftp_server.file_get_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong>ftp_server.file_put_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
string <strong>ftp_server.ftp_cmds</strong>: specify additional commands supported by server beyond RFC 959
</p>
</li>
<li>
<p>
bool <strong>ftp_server.ignore_data_chan</strong> = false: do not inspect FTP data channels
</p>
</li>
<li>
<p>
bool <strong>ftp_server.ignore_telnet_erase_cmds</strong> = false: ignore erase character and erase line commands when normalizing
</p>
</li>
<li>
<p>
string <strong>ftp_server.login_cmds</strong>: check the formatting of the given commands
</p>
</li>
<li>
<p>
bool <strong>ftp_server.print_cmds</strong> = false: print command configurations on start up
</p>
</li>
<li>
<p>
bool <strong>ftp_server.telnet_cmds</strong> = false: detect Telnet escape sequences of FTP control channel
</p>
</li>
<li>
<p>
int <strong>gid.~</strong>: generator id { 1:max32 }
</p>
</li>
<li>
<p>
string <strong>gtp_info.~</strong>: info element to match
</p>
</li>
<li>
<p>
int <strong><code>gtp_inspect[].infos[].length</code></strong> = 0: information element type code { 0:255 }
</p>
</li>
<li>
<p>
string <strong><code>gtp_inspect[].infos[].name</code></strong>: information element name
</p>
</li>
<li>
<p>
int <strong><code>gtp_inspect[].infos[].type</code></strong> = 0: information element type code { 0:255 }
</p>
</li>
<li>
<p>
string <strong><code>gtp_inspect[].messages[].name</code></strong>: message name
</p>
</li>
<li>
<p>
int <strong><code>gtp_inspect[].messages[].type</code></strong> = 0: message type code { 0:255 }
</p>
</li>
<li>
<p>
int <strong>gtp_inspect.trace</strong>: mask for enabling debug traces in module { 0:max53 }
</p>
</li>
<li>
<p>
int <strong><code>gtp_inspect[].version</code></strong> = 2: GTP version { 0:2 }
</p>
</li>
<li>
<p>
string <strong>gtp_type.~</strong>: list of types to match
</p>
</li>
<li>
<p>
int <strong>gtp_version.~</strong>: version to match { 0:2 }
</p>
</li>
<li>
<p>
bool <strong>high_availability.daq_channel</strong> = false: enable use of daq data plane channel
</p>
</li>
<li>
<p>
bool <strong>high_availability.enable</strong> = false: enable high availability
</p>
</li>
<li>
<p>
int <strong>high_availability.min_age</strong> = 0: minimum session life in milliseconds before HA updates { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>high_availability.min_sync</strong> = 0: minimum interval in milliseconds between HA updates { 0:max32 }
</p>
</li>
<li>
<p>
bit_list <strong>high_availability.ports</strong>: side channel message port list { 65535 }
</p>
</li>
<li>
<p>
string <strong>host_cache.dump_file</strong>: file name to dump host cache on shutdown; won&#8217;t dump by default
</p>
</li>
<li>
<p>
int <strong>host_cache.memcap</strong> = 8388608: maximum host cache size in bytes { 512:max32 }
</p>
</li>
<li>
<p>
enum <strong><code>hosts[].frag_policy</code></strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }
</p>
</li>
<li>
<p>
addr <strong><code>hosts[].ip</code></strong> = 0.0.0.0/32: hosts address / CIDR
</p>
</li>
<li>
<p>
string <strong><code>hosts[].services[].name</code></strong>: service identifier
</p>
</li>
<li>
<p>
port <strong><code>hosts[].services[].port</code></strong>: port number
</p>
</li>
<li>
<p>
enum <strong><code>hosts[].services[].proto</code></strong> = tcp: IP protocol { tcp | udp }
</p>
</li>
<li>
<p>
enum <strong><code>hosts[].tcp_policy</code></strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }
</p>
</li>
<li>
<p>
addr <strong><code>host_tracker[].ip</code></strong>: hosts address / cidr
</p>
</li>
<li>
<p>
port <strong><code>host_tracker[].services[].port</code></strong>: port number
</p>
</li>
<li>
<p>
enum <strong><code>host_tracker[].services[].proto</code></strong>: IP protocol { ip | tcp | udp }
</p>
</li>
<li>
<p>
implied <strong>http_cookie.request</strong>: match against the cookie from the request message even when examining the response
</p>
</li>
<li>
<p>
implied <strong>http_cookie.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_cookie.with_header</strong>: this rule is limited to examining HTTP message headers
</p>
</li>
<li>
<p>
implied <strong>http_cookie.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
<li>
<p>
string <strong>http_header.field</strong>: restrict to given header. Header name is case insensitive.
</p>
</li>
<li>
<p>
implied <strong>http_header.request</strong>: match against the headers from the request message even when examining the response
</p>
</li>
<li>
<p>
implied <strong>http_header.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_header.with_header</strong>: this rule is limited to examining HTTP message headers
</p>
</li>
<li>
<p>
implied <strong>http_header.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
<li>
<p>
bool <strong>http_inspect.accelerated_blocking</strong> = false: inspect JavaScript in response messages as soon as possible
</p>
</li>
<li>
<p>
bool <strong>http_inspect.backslash_to_slash</strong> = false: replace \ with / when normalizing URIs
</p>
</li>
<li>
<p>
bit_list <strong>http_inspect.bad_characters</strong>: alert when any of specified bytes are present in URI after percent decoding { 255 }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.decompress_pdf</strong> = false: decompress pdf files in response bodies
</p>
</li>
<li>
<p>
bool <strong>http_inspect.decompress_swf</strong> = false: decompress swf files in response bodies
</p>
</li>
<li>
<p>
bool <strong>http_inspect.decompress_zip</strong> = false: decompress zip files in response bodies
</p>
</li>
<li>
<p>
string <strong>http_inspect.ignore_unreserved</strong>: do not alert when the specified unreserved characters are percent-encoded in a URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore, tilde, and minus. { (optional) }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.iis_double_decode</strong> = false: perform double decoding of percent encodings to normalize characters
</p>
</li>
<li>
<p>
int <strong>http_inspect.iis_unicode_code_page</strong> = 1252: code page to use from the IIS unicode map file { 0:65535 }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.iis_unicode</strong> = false: use IIS unicode code point mapping to normalize characters
</p>
</li>
<li>
<p>
string <strong>http_inspect.iis_unicode_map_file</strong>: file containing code points for IIS unicode. { (optional) }
</p>
</li>
<li>
<p>
int <strong>http_inspect.max_javascript_whitespaces</strong> = 200: maximum consecutive whitespaces allowed within the JavaScript obfuscated data { 1:65535 }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.normalize_javascript</strong> = false: normalize JavaScript in response bodies
</p>
</li>
<li>
<p>
bool <strong>http_inspect.normalize_utf</strong> = true: normalize charset utf encodings in response bodies
</p>
</li>
<li>
<p>
int <strong>http_inspect.oversize_dir_length</strong> = 300: maximum length for URL directory { 1:65535 }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.percent_u</strong> = false: normalize %uNNNN and %UNNNN encodings
</p>
</li>
<li>
<p>
bool <strong>http_inspect.plus_to_space</strong> = true: replace + with &lt;sp&gt; when normalizing URIs
</p>
</li>
<li>
<p>
int <strong>http_inspect.request_depth</strong> = -1: maximum request message body bytes to examine (-1 no limit) { -1:max53 }
</p>
</li>
<li>
<p>
int <strong>http_inspect.response_depth</strong> = -1: maximum response message body bytes to examine (-1 no limit) { -1:max53 }
</p>
</li>
<li>
<p>
bool <strong>http_inspect.simplify_path</strong> = true: reduce URI directory path to simplest form
</p>
</li>
<li>
<p>
bool <strong>http_inspect.unzip</strong> = true: decompress gzip and deflate message bodies
</p>
</li>
<li>
<p>
bool <strong>http_inspect.utf8_bare_byte</strong> = false: when doing UTF-8 character normalization include bytes that were not percent encoded
</p>
</li>
<li>
<p>
bool <strong>http_inspect.utf8</strong> = true: normalize 2-byte and 3-byte UTF-8 characters to a single byte
</p>
</li>
<li>
<p>
implied <strong>http_method.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_method.with_header</strong>: this rule is limited to examining HTTP message headers
</p>
</li>
<li>
<p>
implied <strong>http_method.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
<li>
<p>
implied <strong>http_raw_cookie.request</strong>: match against the cookie from the request message even when examining the response
</p>
</li>
<li>
<p>
implied <strong>http_raw_cookie.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_raw_cookie.with_header</strong>: this rule is limited to examining HTTP message headers
</p>
</li>
<li>
<p>
implied <strong>http_raw_cookie.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
<li>
<p>
implied <strong>http_raw_header.request</strong>: match against the headers from the request message even when examining the response
</p>
</li>
<li>
<p>
implied <strong>http_raw_header.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_raw_header.with_header</strong>: this rule is limited to examining HTTP message headers
</p>
</li>
<li>
<p>
implied <strong>http_raw_header.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
<li>
<p>
implied <strong>http_raw_request.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_raw_request.with_header</strong>: this rule is limited to examining HTTP message headers
</p>
</li>
<li>
<p>
implied <strong>http_raw_request.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
<li>
<p>
implied <strong>http_raw_status.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_raw_status.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
<li>
<p>
implied <strong>http_raw_trailer.request</strong>: match against the trailers from the request message even when examining the response
</p>
</li>
<li>
<p>
implied <strong>http_raw_trailer.with_body</strong>: parts of this rule examine HTTP response message body (must be combined with request)
</p>
</li>
<li>
<p>
implied <strong>http_raw_trailer.with_header</strong>: parts of this rule examine HTTP response message headers (must be combined with request)
</p>
</li>
<li>
<p>
implied <strong>http_raw_uri.fragment</strong>: match against fragment section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_raw_uri.host</strong>: match against host section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_raw_uri.path</strong>: match against path section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_raw_uri.port</strong>: match against port section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_raw_uri.query</strong>: match against query section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_raw_uri.scheme</strong>: match against scheme section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_raw_uri.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_raw_uri.with_header</strong>: this rule is limited to examining HTTP message headers
</p>
</li>
<li>
<p>
implied <strong>http_raw_uri.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
<li>
<p>
implied <strong>http_stat_code.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_stat_code.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
<li>
<p>
implied <strong>http_stat_msg.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_stat_msg.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
<li>
<p>
string <strong>http_trailer.field</strong>: restrict to given trailer
</p>
</li>
<li>
<p>
implied <strong>http_trailer.request</strong>: match against the trailers from the request message even when examining the response
</p>
</li>
<li>
<p>
implied <strong>http_trailer.with_body</strong>: parts of this rule examine HTTP message body (must be combined with request)
</p>
</li>
<li>
<p>
implied <strong>http_trailer.with_header</strong>: parts of this rule examine HTTP response message headers (must be combined with request)
</p>
</li>
<li>
<p>
implied <strong>http_true_ip.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_true_ip.with_header</strong>: this rule is limited to examining HTTP message headers
</p>
</li>
<li>
<p>
implied <strong>http_true_ip.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
<li>
<p>
implied <strong>http_uri.fragment</strong>: match against fragment section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_uri.host</strong>: match against host section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_uri.path</strong>: match against path section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_uri.port</strong>: match against port section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_uri.query</strong>: match against query section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_uri.scheme</strong>: match against scheme section of URI only
</p>
</li>
<li>
<p>
implied <strong>http_uri.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_uri.with_header</strong>: this rule is limited to examining HTTP message headers
</p>
</li>
<li>
<p>
implied <strong>http_uri.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
<li>
<p>
implied <strong>http_version.request</strong>: match against the version from the request message even when examining the response
</p>
</li>
<li>
<p>
implied <strong>http_version.with_body</strong>: parts of this rule examine HTTP message body
</p>
</li>
<li>
<p>
implied <strong>http_version.with_header</strong>: this rule is limited to examining HTTP message headers
</p>
</li>
<li>
<p>
implied <strong>http_version.with_trailer</strong>: parts of this rule examine HTTP message trailers
</p>
</li>
<li>
<p>
interval <strong>icmp_id.~range</strong>: check if ICMP ID is in given range { 0:65535 }
</p>
</li>
<li>
<p>
interval <strong>icmp_seq.~range</strong>: check if ICMP sequence number is in given range { 0:65535 }
</p>
</li>
<li>
<p>
interval <strong>icode.~range</strong>: check if ICMP code is in given range is { 0:255 }
</p>
</li>
<li>
<p>
interval <strong>id.~range</strong>: check if the IP ID is in the given range { 0: }
</p>
</li>
<li>
<p>
int <strong>imap.b64_decode_depth</strong> = 1460: base64 decoding depth (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>imap.bitenc_decode_depth</strong> = 1460: non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
bool <strong>imap.decompress_pdf</strong> = false: decompress pdf files in MIME attachments
</p>
</li>
<li>
<p>
bool <strong>imap.decompress_swf</strong> = false: decompress swf files in MIME attachments
</p>
</li>
<li>
<p>
bool <strong>imap.decompress_zip</strong> = false: decompress zip files in MIME attachments
</p>
</li>
<li>
<p>
int <strong>imap.qp_decode_depth</strong> = 1460: quoted Printable decoding depth (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>imap.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>inspection.id</strong> = 0: correlate policy and events with other items in configuration { 0:65535 }
</p>
</li>
<li>
<p>
enum <strong>inspection.mode</strong> = inline-test: set policy mode { inline | inline-test }
</p>
</li>
<li>
<p>
string <strong>inspection.uuid</strong>: correlate events by uuid
</p>
</li>
<li>
<p>
select <strong>ipopts.~opt</strong>: output format { rr|eol|nop|ts|sec|esec|lsrr|lsrre|ssrr|satid|any }
</p>
</li>
<li>
<p>
string <strong>ip_proto.~proto</strong>: [!|&gt;|&lt;] name or number
</p>
</li>
<li>
<p>
enum <strong>ips.default_rule_state</strong> = inherit: enable or disable ips rules { no | yes | inherit }
</p>
</li>
<li>
<p>
bool <strong>ips.enable_builtin_rules</strong> = false: enable events from builtin rules w/o stubs
</p>
</li>
<li>
<p>
int <strong>ips.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }
</p>
</li>
<li>
<p>
string <strong>ips.includer</strong>: for internal use; where includes are included from { (optional) }
</p>
</li>
<li>
<p>
string <strong>ips.include</strong>: snort rules and includes
</p>
</li>
<li>
<p>
enum <strong>ips.mode</strong>: set policy mode { tap | inline | inline-test }
</p>
</li>
<li>
<p>
bool <strong>ips.obfuscate_pii</strong> = false: mask all but the last 4 characters of credit card and social security numbers
</p>
</li>
<li>
<p>
string <strong>ips.rules</strong>: snort rules and includes
</p>
</li>
<li>
<p>
string <strong>ips.uuid</strong> = 00000000-0000-0000-0000-000000000000: IPS policy uuid
</p>
</li>
<li>
<p>
string <strong>isdataat.~length</strong>: num | !num
</p>
</li>
<li>
<p>
implied <strong>isdataat.relative</strong>: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
interval <strong>itype.~range</strong>: check if ICMP type is in given range { 0:255 }
</p>
</li>
<li>
<p>
enum <strong>latency.packet.action</strong> = none: event action if packet times out and is fastpathed { none | alert | log | alert_and_log }
</p>
</li>
<li>
<p>
bool <strong>latency.packet.fastpath</strong> = false: fastpath expensive packets (max_time exceeded)
</p>
</li>
<li>
<p>
int <strong>latency.packet.max_time</strong> = 500: set timeout for packet latency thresholding (usec) { 0:max53 }
</p>
</li>
<li>
<p>
enum <strong>latency.rule.action</strong> = none: event action for rule latency enable and suspend events { none | alert | log | alert_and_log }
</p>
</li>
<li>
<p>
int <strong>latency.rule.max_suspend_time</strong> = 30000: set max time for suspending a rule (ms, 0 means permanently disable rule) { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>latency.rule.max_time</strong> = 500: set timeout for rule evaluation (usec) { 0:max53 }
</p>
</li>
<li>
<p>
bool <strong>latency.rule.suspend</strong> = false: temporarily suspend expensive rules
</p>
</li>
<li>
<p>
int <strong>latency.rule.suspend_threshold</strong> = 5: set threshold for number of timeouts before suspending a rule { 1:max32 }
</p>
</li>
<li>
<p>
bool <strong>log_codecs.file</strong> = false: output to log_codecs.txt instead of stdout
</p>
</li>
<li>
<p>
bool <strong>log_codecs.msg</strong> = false: include alert msg
</p>
</li>
<li>
<p>
bool <strong>log_hext.file</strong> = false: output to log_hext.txt instead of stdout
</p>
</li>
<li>
<p>
int <strong>log_hext.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
</p>
</li>
<li>
<p>
bool <strong>log_hext.raw</strong> = false: output all full packets if true, else just TCP payload
</p>
</li>
<li>
<p>
int <strong>log_hext.width</strong> = 20: set line width (0 is unlimited) { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>log_pcap.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
</p>
</li>
<li>
<p>
string <strong>md5.~hash</strong>: data to match
</p>
</li>
<li>
<p>
int <strong>md5.length</strong>: number of octets in plain text { 1:65535 }
</p>
</li>
<li>
<p>
string <strong>md5.offset</strong>: var or number of bytes from start of buffer to start search
</p>
</li>
<li>
<p>
implied <strong>md5.relative</strong> = false: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
int <strong>memory.cap</strong> = 0: set the per-packet-thread cap on memory (bytes, 0 to disable) { 0:maxSZ }
</p>
</li>
<li>
<p>
int <strong>memory.threshold</strong> = 0: set the per-packet-thread threshold for preemptive cleanup actions (percent, 0 to disable) { 0:100 }
</p>
</li>
<li>
<p>
string <strong><code>metadata.*</code></strong>: comma-separated list of arbitrary name value pairs
</p>
</li>
<li>
<p>
string <strong>modbus_func.~</strong>: function code to match
</p>
</li>
<li>
<p>
int <strong>modbus_unit.~</strong>: Modbus unit ID { 0:255 }
</p>
</li>
<li>
<p>
bool <strong>mpls.enable_mpls_multicast</strong> = false: enables support for MPLS multicast
</p>
</li>
<li>
<p>
bool <strong>mpls.enable_mpls_overlapping_ip</strong> = false: enable if private network addresses overlap and must be differentiated by MPLS label(s)
</p>
</li>
<li>
<p>
int <strong>mpls.max_mpls_stack_depth</strong> = -1: set MPLS stack depth { -1:255 }
</p>
</li>
<li>
<p>
enum <strong>mpls.mpls_payload_type</strong> = ip4: set encapsulated payload type { eth | ip4 | ip6 }
</p>
</li>
<li>
<p>
string <strong>msg.~</strong>: message describing rule
</p>
</li>
<li>
<p>
interval <strong>mss.~range</strong>: check if TCP MSS is in given range { 0:65535 }
</p>
</li>
<li>
<p>
multi <strong>network.checksum_drop</strong> = none: drop if checksum is bad { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
</p>
</li>
<li>
<p>
multi <strong>network.checksum_eval</strong> = all: checksums to verify { all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none }
</p>
</li>
<li>
<p>
bool <strong>network.decode_drops</strong> = false: enable dropping of packets by the decoder
</p>
</li>
<li>
<p>
int <strong>network.id</strong> = 0: correlate unified2 events with configuration { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>network.layers</strong> = 40: the maximum number of protocols that Snort can correctly decode { 3:255 }
</p>
</li>
<li>
<p>
int <strong>network.max_ip6_extensions</strong> = 0: the maximum number of IP6 options Snort will process for a given IPv6 layer before raising 116:456 (0 = unlimited) { 0:255 }
</p>
</li>
<li>
<p>
int <strong>network.max_ip_layers</strong> = 0: the maximum number of IP layers Snort will process for a given packet before raising 116:293 (0 = unlimited) { 0:255 }
</p>
</li>
<li>
<p>
int <strong>network.min_ttl</strong> = 1: alert / normalize packets with lower TTL / hop limit (you must enable rules and / or normalization also) { 1:255 }
</p>
</li>
<li>
<p>
int <strong>network.new_ttl</strong> = 1: use this value for responses and when normalizing { 1:255 }
</p>
</li>
<li>
<p>
bool <strong>normalizer.icmp4</strong> = false: clear reserved flag
</p>
</li>
<li>
<p>
bool <strong>normalizer.icmp6</strong> = false: clear reserved flag
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip4.base</strong> = true: clear options
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip4.df</strong> = false: clear don&#8217;t frag flag
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip4.rf</strong> = false: clear reserved flag
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip4.tos</strong> = false: clear tos / differentiated services byte
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip4.trim</strong> = false: truncate excess payload beyond datagram length
</p>
</li>
<li>
<p>
bool <strong>normalizer.ip6</strong> = false: clear reserved flag
</p>
</li>
<li>
<p>
string <strong>normalizer.tcp.allow_codes</strong>: don&#8217;t clear given option codes
</p>
</li>
<li>
<p>
multi <strong>normalizer.tcp.allow_names</strong>: don&#8217;t clear given option names { sack | echo | partial_order | conn_count | alt_checksum | md5 }
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.base</strong> = true: clear reserved bits and option padding and fix urgent pointer / flags issues
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.block</strong> = true: allow packet drops during TCP normalization
</p>
</li>
<li>
<p>
select <strong>normalizer.tcp.ecn</strong> = off: clear ecn for all packets | sessions w/o ecn setup { off | packet | stream }
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.ips</strong> = false: ensure consistency in retransmitted data
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.opts</strong> = true: clear all options except mss, wscale, timestamp, and any explicitly allowed
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.pad</strong> = true: clear any option padding bytes
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.req_pay</strong> = true: clear the urgent pointer and the urgent flag if there is no payload
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.req_urg</strong> = true: clear the urgent pointer if the urgent flag is not set
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.req_urp</strong> = true: clear the urgent flag if the urgent pointer is not set
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.rsv</strong> = true: clear the reserved bits in the TCP header
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.trim</strong> = false: enable all of the TCP trim options
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.trim_mss</strong> = false: trim data to MSS
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.trim_rst</strong> = false: remove any data from RST packet
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.trim_syn</strong> = false: remove data on SYN
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.trim_win</strong> = false: trim data to window
</p>
</li>
<li>
<p>
bool <strong>normalizer.tcp.urp</strong> = true: adjust urgent pointer if beyond segment length
</p>
</li>
<li>
<p>
bool <strong>output.dump_chars_only</strong> = false: turns on character dumps (same as -C)
</p>
</li>
<li>
<p>
bool <strong>output.dump_payload</strong> = false: dumps application layer (same as -d)
</p>
</li>
<li>
<p>
bool <strong>output.dump_payload_verbose</strong> = false: dumps raw packet starting at link layer (same as -X)
</p>
</li>
<li>
<p>
int <strong>output.event_trace.max_data</strong> = 0: maximum amount of packet data to capture { 0:65535 }
</p>
</li>
<li>
<p>
string <strong>output.logdir</strong> = .: where to put log files (same as -l)
</p>
</li>
<li>
<p>
bool <strong>output.obfuscate</strong> = false: obfuscate the logged IP addresses (same as -O)
</p>
</li>
<li>
<p>
bool <strong>output.quiet</strong> = false: suppress non-fatal information (still show alerts, same as -q)
</p>
</li>
<li>
<p>
bool <strong>output.show_year</strong> = false: include year in timestamp in the alert and log files (same as -y)
</p>
</li>
<li>
<p>
int <strong>output.tagged_packet_limit</strong> = 256: maximum number of packets tagged for non-packet metrics { 0:max32 }
</p>
</li>
<li>
<p>
bool <strong>output.verbose</strong> = false: be verbose (same as -v)
</p>
</li>
<li>
<p>
bool <strong>output.wide_hex_dump</strong> = false: output 20 bytes per lines instead of 16 when dumping buffers
</p>
</li>
<li>
<p>
bool <strong>packet_capture.enable</strong> = false: initially enable packet dumping
</p>
</li>
<li>
<p>
string <strong>packet_capture.filter</strong>: bpf filter to use for packet dump
</p>
</li>
<li>
<p>
bool <strong>packets.address_space_agnostic</strong> = false: determines whether DAQ address space info is used to track fragments and connections
</p>
</li>
<li>
<p>
string <strong>packets.bpf_file</strong>: file with BPF to select traffic for Snort
</p>
</li>
<li>
<p>
int <strong>packets.limit</strong> = 0: maximum number of packets to process before stopping (0 is unlimited) { 0:max53 }
</p>
</li>
<li>
<p>
int <strong>packets.skip</strong> = 0: number of packets to skip before before processing { 0:max53 }
</p>
</li>
<li>
<p>
bool <strong>packets.vlan_agnostic</strong> = false: determines whether VLAN info is used to track fragments and connections
</p>
</li>
<li>
<p>
bool <strong>packet_tracer.enable</strong> = false: enable summary output of state that determined packet verdict
</p>
</li>
<li>
<p>
enum <strong>packet_tracer.output</strong> = console: select where to send packet trace { console | file }
</p>
</li>
<li>
<p>
string <strong>pcre.~re</strong>: Snort regular expression
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.base</strong> = true: enable base statistics
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.cpu</strong> = false: enable cpu statistics
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.flow</strong> = false: enable traffic statistics
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.flow_ip</strong> = false: enable statistics on host pairs
</p>
</li>
<li>
<p>
int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory in bytes for flow tracking { 8200:maxSZ }
</p>
</li>
<li>
<p>
int <strong>perf_monitor.flow_ports</strong> = 1023: maximum ports to track { 0:65535 }
</p>
</li>
<li>
<p>
enum <strong>perf_monitor.format</strong> = csv: output format for stats { csv | text | json | flatbuffers }
</p>
</li>
<li>
<p>
int <strong>perf_monitor.max_file_size</strong> = 1073741824: files will be rolled over if they exceed this size { 4096:max53 }
</p>
</li>
<li>
<p>
string <strong><code>perf_monitor.modules[].name</code></strong>: name of the module
</p>
</li>
<li>
<p>
string <strong><code>perf_monitor.modules[].pegs</code></strong>: list of statistics to track or empty for all counters
</p>
</li>
<li>
<p>
enum <strong>perf_monitor.output</strong> = file: output location for stats { file | console }
</p>
</li>
<li>
<p>
int <strong>perf_monitor.packets</strong> = 10000: minimum packets to report { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>perf_monitor.seconds</strong> = 60: report interval { 1:max32 }
</p>
</li>
<li>
<p>
bool <strong>perf_monitor.summary</strong> = false: output summary at shutdown
</p>
</li>
<li>
<p>
interval <strong>pkt_num.~range</strong>: check if packet number is in given range { 1: }
</p>
</li>
<li>
<p>
int <strong>pop.b64_decode_depth</strong> = 1460: base64 decoding depth (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>pop.bitenc_decode_depth</strong> = 1460: Non-Encoded MIME attachment extraction depth (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
bool <strong>pop.decompress_pdf</strong> = false: decompress pdf files in MIME attachments
</p>
</li>
<li>
<p>
bool <strong>pop.decompress_swf</strong> = false: decompress swf files in MIME attachments
</p>
</li>
<li>
<p>
bool <strong>pop.decompress_zip</strong> = false: decompress zip files in MIME attachments
</p>
</li>
<li>
<p>
int <strong>pop.qp_decode_depth</strong> = 1460: Quoted Printable decoding depth (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>pop.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
bool <strong>port_scan.alert_all</strong> = false: alert on all events over threshold within window if true; else alert on first only
</p>
</li>
<li>
<p>
int <strong>port_scan.icmp_sweep.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.icmp_sweep.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.icmp_sweep.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.icmp_sweep.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.icmp_window</strong> = 0: detection interval for all ICMP scans { 0:max32 }
</p>
</li>
<li>
<p>
string <strong>port_scan.ignore_scanned</strong>: list of CIDRs with optional ports to ignore if the destination of scan alerts
</p>
</li>
<li>
<p>
string <strong>port_scan.ignore_scanners</strong>: list of CIDRs with optional ports to ignore if the source of scan alerts
</p>
</li>
<li>
<p>
bool <strong>port_scan.include_midstream</strong> = false: list of CIDRs with optional ports
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_decoy.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_decoy.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_decoy.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_decoy.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_dist.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_dist.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_dist.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_dist.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_proto.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_proto.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_proto.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_proto.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_sweep.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_sweep.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_sweep.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_sweep.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.ip_window</strong> = 0: detection interval for all IP scans { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>port_scan.memcap</strong> = 1048576: maximum tracker memory in bytes { 1024:maxSZ }
</p>
</li>
<li>
<p>
multi <strong>port_scan.protos</strong> = all: choose the protocols to monitor { tcp | udp | icmp | ip | all }
</p>
</li>
<li>
<p>
multi <strong>port_scan.scan_types</strong> = all: choose type of scans to look for { portscan | portsweep | decoy_portscan | distributed_portscan | all }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_decoy.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_decoy.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_decoy.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_decoy.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_dist.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_dist.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_dist.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_dist.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_ports.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_ports.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_ports.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_ports.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_sweep.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_sweep.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_sweep.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_sweep.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.tcp_window</strong> = 0: detection interval for all TCP scans { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_decoy.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_decoy.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_decoy.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_decoy.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_dist.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_dist.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_dist.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_dist.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_ports.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_ports.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_ports.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_ports.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_sweep.nets</strong> = 25: number of times address changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_sweep.ports</strong> = 25: number of times port (or proto) changed from prior attempt { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_sweep.rejects</strong> = 15: scan attempts with negative response { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_sweep.scans</strong> = 100: scan attempts { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>port_scan.udp_window</strong> = 0: detection interval for all UDP scans { 0:max32 }
</p>
</li>
<li>
<p>
string <strong>port_scan.watch_ip</strong>: list of CIDRs with optional ports to watch
</p>
</li>
<li>
<p>
int <strong>priority.~</strong>: relative severity level; 1 is highest priority { 1:max31 }
</p>
</li>
<li>
<p>
string <strong>process.chroot</strong>: set chroot directory (same as -t)
</p>
</li>
<li>
<p>
bool <strong>process.daemon</strong> = false: fork as a daemon (same as -D)
</p>
</li>
<li>
<p>
bool <strong>process.dirty_pig</strong> = false: shutdown without internal cleanup
</p>
</li>
<li>
<p>
string <strong>process.set_gid</strong>: set group ID (same as -g)
</p>
</li>
<li>
<p>
string <strong>process.set_uid</strong>: set user ID (same as -u)
</p>
</li>
<li>
<p>
string <strong><code>process.threads[].cpuset</code></strong>: pin the associated thread to this cpuset
</p>
</li>
<li>
<p>
int <strong><code>process.threads[].thread</code></strong> = 0: set cpu affinity for the &lt;cur_thread_num&gt; thread that runs { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>process.umask</strong>: set process umask (same as -m) { 0x000:0x1FF }
</p>
</li>
<li>
<p>
bool <strong>process.utc</strong> = false: use UTC instead of local time for timestamps
</p>
</li>
<li>
<p>
int <strong>profiler.memory.count</strong> = 0: limit results to count items per level (0 = no limit) { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>profiler.memory.max_depth</strong> = -1: limit depth to max_depth (-1 = no limit) { -1:255 }
</p>
</li>
<li>
<p>
bool <strong>profiler.memory.show</strong> = true: show module memory profile stats
</p>
</li>
<li>
<p>
enum <strong>profiler.memory.sort</strong> = total_used: sort by given field { none | allocations | total_used | avg_allocation  }
</p>
</li>
<li>
<p>
int <strong>profiler.modules.count</strong> = 0: limit results to count items per level (0 = no limit) { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>profiler.modules.max_depth</strong> = -1: limit depth to max_depth (-1 = no limit) { -1:255 }
</p>
</li>
<li>
<p>
bool <strong>profiler.modules.show</strong> = true: show module time profile stats
</p>
</li>
<li>
<p>
enum <strong>profiler.modules.sort</strong> = total_time: sort by given field { none | checks | avg_check | total_time  }
</p>
</li>
<li>
<p>
int <strong>profiler.rules.count</strong> = 0: print results to given level (0 = all) { 0:max32 }
</p>
</li>
<li>
<p>
bool <strong>profiler.rules.show</strong> = true: show rule time profile stats
</p>
</li>
<li>
<p>
enum <strong>profiler.rules.sort</strong> = total_time: sort by given field { none | checks | avg_check | total_time | matches | no_matches | avg_match | avg_no_match }
</p>
</li>
<li>
<p>
string <strong><code>rate_filter[].apply_to</code></strong>: restrict filter to these addresses according to track
</p>
</li>
<li>
<p>
int <strong><code>rate_filter[].count</code></strong> = 1: number of events in interval before tripping { 0:max32 }
</p>
</li>
<li>
<p>
int <strong><code>rate_filter[].gid</code></strong> = 1: rule generator ID { 0:max32 }
</p>
</li>
<li>
<p>
enum <strong><code>rate_filter[].new_action</code></strong> = alert: take this action on future hits until timeout { log | pass | alert | drop | block | reset }
</p>
</li>
<li>
<p>
int <strong><code>rate_filter[].seconds</code></strong> = 1: count interval { 0:max32 }
</p>
</li>
<li>
<p>
int <strong><code>rate_filter[].sid</code></strong> = 1: rule signature ID { 0:max32 }
</p>
</li>
<li>
<p>
int <strong><code>rate_filter[].timeout</code></strong> = 1: count interval { 0:max32 }
</p>
</li>
<li>
<p>
enum <strong><code>rate_filter[].track</code></strong> = by_src: filter only matching source or destination addresses { by_src | by_dst | by_rule }
</p>
</li>
<li>
<p>
bool <strong>react.msg</strong> = false:  use rule msg in response page instead of default message
</p>
</li>
<li>
<p>
string <strong>react.page</strong>: file containing HTTP response (headers and body)
</p>
</li>
<li>
<p>
string <strong>reference.~id</strong>: reference id
</p>
</li>
<li>
<p>
string <strong>reference.~scheme</strong>: reference scheme
</p>
</li>
<li>
<p>
string <strong><code>references[].name</code></strong>: name used with reference rule option
</p>
</li>
<li>
<p>
string <strong><code>references[].url</code></strong>: where this reference is defined
</p>
</li>
<li>
<p>
implied <strong>regex.dotall</strong>: matching a . will not exclude newlines
</p>
</li>
<li>
<p>
implied <strong>regex.fast_pattern</strong>: use this content in the fast pattern matcher instead of the content selected by default
</p>
</li>
<li>
<p>
implied <strong>regex.multiline</strong>: ^ and $ anchors match any newlines in data
</p>
</li>
<li>
<p>
implied <strong>regex.nocase</strong>: case insensitive match
</p>
</li>
<li>
<p>
string <strong>regex.~re</strong>: hyperscan regular expression
</p>
</li>
<li>
<p>
implied <strong>regex.relative</strong>: start search from end of last match instead of start of buffer
</p>
</li>
<li>
<p>
enum <strong>reject.control</strong>: send ICMP unreachable(s) { network|host|port|forward|all }
</p>
</li>
<li>
<p>
enum <strong>reject.reset</strong>: send TCP reset to one or both ends { source|dest|both }
</p>
</li>
<li>
<p>
string <strong>rem.~</strong>: comment
</p>
</li>
<li>
<p>
string <strong>replace.~</strong>: byte code to replace with
</p>
</li>
<li>
<p>
string <strong>reputation.blacklist</strong>: blacklist file name with IP lists
</p>
</li>
<li>
<p>
string <strong>reputation.list_dir</strong>: directory for IP lists and manifest file
</p>
</li>
<li>
<p>
int <strong>reputation.memcap</strong> = 500: maximum total MB of memory allocated { 1:4095 }
</p>
</li>
<li>
<p>
enum <strong>reputation.nested_ip</strong> = inner: IP to use when there is IP encapsulation { inner|outer|all }
</p>
</li>
<li>
<p>
enum <strong>reputation.priority</strong> = whitelist: defines priority when there is a decision conflict during run-time { blacklist|whitelist }
</p>
</li>
<li>
<p>
bool <strong>reputation.scan_local</strong> = false: inspect local address defined in RFC 1918
</p>
</li>
<li>
<p>
string <strong>reputation.whitelist</strong>: whitelist file name with IP lists
</p>
</li>
<li>
<p>
enum <strong>reputation.white</strong> = unblack: specify the meaning of whitelist { unblack|trust }
</p>
</li>
<li>
<p>
int <strong>rev.~</strong>: revision { 1:max32 }
</p>
</li>
<li>
<p>
bool <strong>rewrite.disable_replace</strong> = false: disable replace of packet contents with rewrite rules
</p>
</li>
<li>
<p>
string <strong>rna.custom_fingerprint_dir</strong>: directory to custom fingerprint patterns
</p>
</li>
<li>
<p>
bool <strong>rna.enable_logger</strong> = true: enable or disable writing discovery events into logger
</p>
</li>
<li>
<p>
string <strong>rna.fingerprint_dir</strong>: directory to fingerprint patterns
</p>
</li>
<li>
<p>
bool <strong>rna.log_when_idle</strong> = false: enable host update logging when snort is idle
</p>
</li>
<li>
<p>
string <strong>rna.rna_conf_path</strong>: path to RNA configuration
</p>
</li>
<li>
<p>
string <strong>rna.rna_util_lib_path</strong>: path to library for utilities such as fingerprint decoder
</p>
</li>
<li>
<p>
int <strong>rpc.~app</strong>: application number { 0:max32 }
</p>
</li>
<li>
<p>
string <strong>rpc.~proc</strong>: procedure number or * for any
</p>
</li>
<li>
<p>
string <strong>rpc.~ver</strong>: version number or * for any
</p>
</li>
<li>
<p>
int <strong>rt_global.memcap</strong> = 2048: cap on amount of memory used
</p>
</li>
<li>
<p>
bool <strong>rt_packet.retry_all</strong> = false: request retry for all non-retry packets
</p>
</li>
<li>
<p>
bool <strong>rt_packet.retry_targeted</strong> = false: request retry for packets whose data starts with <em>A</em>
</p>
</li>
<li>
<p>
enum <strong><code>rule_state.$gid_sid[].action</code></strong> = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | inherit }
</p>
</li>
<li>
<p>
enum <strong><code>rule_state.$gid_sid[].enable</code></strong> = inherit: enable or disable rule in current ips policy or use default defined by ips policy { no | yes | inherit }
</p>
</li>
<li>
<p>
string <strong>sd_pattern.~pattern</strong>: The pattern to search for
</p>
</li>
<li>
<p>
int <strong>sd_pattern.threshold</strong> = 1: number of matches before alerting { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>search_engine.bleedover_port_limit</strong> = 1024: maximum ports in rule before demotion to any-any port group { 1:max32 }
</p>
</li>
<li>
<p>
bool <strong>search_engine.bleedover_warnings_enabled</strong> = false: print warning if a rule is demoted to any-any port group
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug</strong> = false: print verbose fast pattern info
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug_print_nocontent_rule_tests</strong> = false: print rule group info during packet evaluation
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug_print_rule_group_build_details</strong> = false: print rule group info during compilation
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug_print_rule_groups_compiled</strong> = false: prints compiled rule group information
</p>
</li>
<li>
<p>
bool <strong>search_engine.debug_print_rule_groups_uncompiled</strong> = false: prints uncompiled rule group information
</p>
</li>
<li>
<p>
bool <strong>search_engine.detect_raw_tcp</strong> = false: detect on TCP payload before reassembly
</p>
</li>
<li>
<p>
bool <strong>search_engine.enable_single_rule_group</strong> = false: put all rules into one group
</p>
</li>
<li>
<p>
int <strong>search_engine.max_pattern_len</strong> = 0: truncate patterns when compiling into state machine (0 means no maximum) { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>search_engine.max_queue_events</strong> = 5: maximum number of matching fast pattern states to queue per packet { 2:100 }
</p>
</li>
<li>
<p>
dynamic <strong>search_engine.offload_search_method</strong>: set fast pattern offload algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan | lowmem }
</p>
</li>
<li>
<p>
dynamic <strong>search_engine.search_method</strong> = ac_bnfa: set fast pattern algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan | lowmem }
</p>
</li>
<li>
<p>
bool <strong>search_engine.search_optimize</strong> = true: tweak state machine construction for better performance
</p>
</li>
<li>
<p>
bool <strong>search_engine.show_fast_patterns</strong> = false: print fast pattern info for each rule
</p>
</li>
<li>
<p>
bool <strong>search_engine.split_any_any</strong> = true: evaluate any-any rules separately to save memory
</p>
</li>
<li>
<p>
interval <strong>seq.~range</strong>: check if TCP sequence number is in given range { 0: }
</p>
</li>
<li>
<p>
string <strong><code>service.*</code></strong>: one or more comma-separated service names
</p>
</li>
<li>
<p>
enum <strong>session.~mode</strong>: output format { printable|binary|all }
</p>
</li>
<li>
<p>
string <strong>sha256.~hash</strong>: data to match
</p>
</li>
<li>
<p>
int <strong>sha256.length</strong>: number of octets in plain text { 1:65535 }
</p>
</li>
<li>
<p>
string <strong>sha256.offset</strong>: var or number of bytes from start of buffer to start search
</p>
</li>
<li>
<p>
implied <strong>sha256.relative</strong> = false: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
string <strong>sha512.~hash</strong>: data to match
</p>
</li>
<li>
<p>
int <strong>sha512.length</strong>: number of octets in plain text { 1:65535 }
</p>
</li>
<li>
<p>
string <strong>sha512.offset</strong>: var or number of bytes from start of buffer to start search
</p>
</li>
<li>
<p>
implied <strong>sha512.relative</strong> = false: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
string <strong>side_channel.connector</strong>: connector handle
</p>
</li>
<li>
<p>
string <strong><code>side_channel.connectors[].connector</code></strong>: connector handle
</p>
</li>
<li>
<p>
bit_list <strong>side_channel.ports</strong>: side channel message port list { 65535 }
</p>
</li>
<li>
<p>
int <strong>sid.~</strong>: signature id { 1:max32 }
</p>
</li>
<li>
<p>
bool <strong>sip.ignore_call_channel</strong> = false: enables the support for ignoring audio/video data channel
</p>
</li>
<li>
<p>
int <strong>sip.max_call_id_len</strong> = 256: maximum call id field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_contact_len</strong> = 256: maximum contact field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_content_len</strong> = 1024: maximum content length of the message body { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_dialogs</strong> = 4: maximum number of dialogs within one stream session { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>sip.max_from_len</strong> = 256: maximum from field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_requestName_len</strong> = 20: maximum request name field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_to_len</strong> = 256: maximum to field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_uri_len</strong> = 256: maximum request uri field size { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>sip.max_via_len</strong> = 1024: maximum via field size { 0:65535 }
</p>
</li>
<li>
<p>
string <strong><code>sip_method.*method</code></strong>: sip method
</p>
</li>
<li>
<p>
string <strong>sip.methods</strong> = invite cancel ack  bye register options: list of methods to check in SIP messages
</p>
</li>
<li>
<p>
int <strong><code>sip_stat_code.*code</code></strong>: status code { 1:999 }
</p>
</li>
<li>
<p>
string <strong><code>smtp.alt_max_command_line_len[].command</code></strong>: command string
</p>
</li>
<li>
<p>
int <strong><code>smtp.alt_max_command_line_len[].length</code></strong> = 0: specify non-default maximum for command { 0:max32 }
</p>
</li>
<li>
<p>
string <strong>smtp.auth_cmds</strong>: commands that initiate an authentication exchange
</p>
</li>
<li>
<p>
int <strong>smtp.b64_decode_depth</strong> = 1460: depth used to decode the base64 encoded MIME attachments (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
string <strong>smtp.binary_data_cmds</strong>: commands that initiate sending of data and use a length value after the command
</p>
</li>
<li>
<p>
int <strong>smtp.bitenc_decode_depth</strong> = 1460: depth used to extract the non-encoded MIME attachments (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
string <strong>smtp.data_cmds</strong>: commands that initiate sending of data with an end of data delimiter
</p>
</li>
<li>
<p>
bool <strong>smtp.decompress_pdf</strong> = false: decompress pdf files in MIME attachments
</p>
</li>
<li>
<p>
bool <strong>smtp.decompress_swf</strong> = false: decompress swf files in MIME attachments
</p>
</li>
<li>
<p>
bool <strong>smtp.decompress_zip</strong> = false: decompress zip files in MIME attachments
</p>
</li>
<li>
<p>
int <strong>smtp.email_hdrs_log_depth</strong> = 1464: depth for logging email headers { 0:20480 }
</p>
</li>
<li>
<p>
bool <strong>smtp.ignore_data</strong> = false: ignore data section of mail
</p>
</li>
<li>
<p>
bool <strong>smtp.ignore_tls_data</strong> = false: ignore TLS-encrypted data when processing rules
</p>
</li>
<li>
<p>
string <strong>smtp.invalid_cmds</strong>: alert if this command is sent from client side
</p>
</li>
<li>
<p>
bool <strong>smtp.log_email_hdrs</strong> = false: log the SMTP email headers extracted from SMTP data
</p>
</li>
<li>
<p>
bool <strong>smtp.log_filename</strong> = false: log the MIME attachment filenames extracted from the Content-Disposition header within the MIME body
</p>
</li>
<li>
<p>
bool <strong>smtp.log_mailfrom</strong> = false: log the sender&#8217;s email address extracted from the MAIL FROM command
</p>
</li>
<li>
<p>
bool <strong>smtp.log_rcptto</strong> = false: log the recipient&#8217;s email address extracted from the RCPT TO command
</p>
</li>
<li>
<p>
int <strong>smtp.max_auth_command_line_len</strong> = 1000: max auth command Line Length { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>smtp.max_command_line_len</strong> = 0: max Command Line Length { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>smtp.max_header_line_len</strong> = 0: max SMTP DATA header line { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>smtp.max_response_line_len</strong> = 0: max SMTP response line { 0:65535 }
</p>
</li>
<li>
<p>
string <strong>smtp.normalize_cmds</strong>: list of commands to normalize
</p>
</li>
<li>
<p>
enum <strong>smtp.normalize</strong> = none: turns on/off normalization { none | cmds | all }
</p>
</li>
<li>
<p>
int <strong>smtp.qp_decode_depth</strong> = 1460: quoted-Printable decoding depth (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
int <strong>smtp.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-1 no limit) { -1:65535 }
</p>
</li>
<li>
<p>
string <strong>smtp.valid_cmds</strong>: list of valid commands
</p>
</li>
<li>
<p>
enum <strong>smtp.xlink2state</strong> = alert: enable/disable xlink2state alert { disable | alert | drop }
</p>
</li>
<li>
<p>
implied <strong>snort.--alert-before-pass</strong>: evaluate alert rules before pass rules; default is pass rules first
</p>
</li>
<li>
<p>
string <strong>snort.-A</strong>: &lt;mode&gt; set alert mode: none, cmg, or alert_*
</p>
</li>
<li>
<p>
addr <strong>snort.-B</strong> = 255.255.255.255/32: &lt;mask&gt; obfuscated IP addresses in alerts and packet dumps using CIDR mask
</p>
</li>
<li>
<p>
string <strong>snort.--bpf</strong>: &lt;filter options&gt; are standard BPF options, as seen in TCPDump
</p>
</li>
<li>
<p>
string <strong>snort.--c2x</strong>: output hex for given char (see also --x2c)
</p>
</li>
<li>
<p>
string <strong>snort.-c</strong>: &lt;conf&gt; use this configuration
</p>
</li>
<li>
<p>
string <strong>snort.--control-socket</strong>: &lt;file&gt; to create unix socket
</p>
</li>
<li>
<p>
implied <strong>snort.-C</strong>: print out payloads with character data only (no hex)
</p>
</li>
<li>
<p>
implied <strong>snort.--create-pidfile</strong>: create PID file, even when not in Daemon mode
</p>
</li>
<li>
<p>
int <strong>snort.--daq-batch-size</strong> = 64: &lt;size&gt; set the DAQ receive batch size { 1: }
</p>
</li>
<li>
<p>
string <strong>snort.--daq-dir</strong>: &lt;dir&gt; tell snort where to find desired DAQ
</p>
</li>
<li>
<p>
implied <strong>snort.--daq-list</strong>: list packet acquisition modules available in optional dir, default is static modules only
</p>
</li>
<li>
<p>
enum <strong>snort.--daq-mode</strong>: &lt;mode&gt; select DAQ module operating mode (overrides automatic selection) { passive | inline | read-file }
</p>
</li>
<li>
<p>
string <strong>snort.--daq</strong>: &lt;type&gt; select packet acquisition module (default is pcap)
</p>
</li>
<li>
<p>
string <strong>snort.--daq-var</strong>: &lt;name=value&gt; specify extra DAQ configuration variable
</p>
</li>
<li>
<p>
implied <strong>snort.-d</strong>: dump the Application Layer
</p>
</li>
<li>
<p>
implied <strong>snort.--dirty-pig</strong>: don&#8217;t flush packets on shutdown
</p>
</li>
<li>
<p>
implied <strong>snort.-D</strong>: run Snort in background (daemon) mode
</p>
</li>
<li>
<p>
string <strong>snort.--dump-builtin-rules</strong>: [&lt;module prefix&gt;] output stub rules for selected modules { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.--dump-defaults</strong>: [&lt;module prefix&gt;] output module defaults in Lua format { (optional) }
</p>
</li>
<li>
<p>
implied <strong>snort.--dump-dynamic-rules</strong>: output stub rules for all loaded rules libraries
</p>
</li>
<li>
<p>
implied <strong>snort.--dump-version</strong>: output the version, the whole version, and only the version
</p>
</li>
<li>
<p>
implied <strong>snort.-e</strong>: display the second layer header info
</p>
</li>
<li>
<p>
implied <strong>snort.--enable-inline-test</strong>: enable Inline-Test Mode Operation
</p>
</li>
<li>
<p>
implied <strong>snort.-f</strong>: turn off fflush() calls after binary log writes
</p>
</li>
<li>
<p>
int <strong>snort.-G</strong>: &lt;0xid&gt; (same as --logid) { 0:65535 }
</p>
</li>
<li>
<p>
implied <strong>snort.--gen-msg-map</strong>: dump builtin rules in gen-msg.map format for use by other tools
</p>
</li>
<li>
<p>
string <strong>snort.-g</strong>: &lt;gname&gt; run snort gid as &lt;gname&gt; group (or gid) after initialization
</p>
</li>
<li>
<p>
string <strong>snort.--help-commands</strong>: [&lt;module prefix&gt;] output matching commands { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.--help-config</strong>: [&lt;module prefix&gt;] output matching config options { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.--help-counts</strong>: [&lt;module prefix&gt;] output matching peg counts { (optional) }
</p>
</li>
<li>
<p>
implied <strong>snort.--help-limits</strong>: print the int upper bounds denoted by max*
</p>
</li>
<li>
<p>
implied <strong>snort.--help</strong>: list command line options
</p>
</li>
<li>
<p>
string <strong>snort.--help-module</strong>: &lt;module&gt; output description of given module
</p>
</li>
<li>
<p>
implied <strong>snort.--help-modules</strong>: list all available modules with brief help
</p>
</li>
<li>
<p>
string <strong>snort.--help-options</strong>: [&lt;option prefix&gt;] output matching command line option quick help (same as -?) { (optional) }
</p>
</li>
<li>
<p>
implied <strong>snort.--help-plugins</strong>: list all available plugins with brief help
</p>
</li>
<li>
<p>
implied <strong>snort.--help-signals</strong>: dump available control signals
</p>
</li>
<li>
<p>
implied <strong>snort.-H</strong>: make hash tables deterministic
</p>
</li>
<li>
<p>
int <strong>snort.--id-offset</strong> = 0: offset to add to instance IDs when logging to files { 0:65535 }
</p>
</li>
<li>
<p>
implied <strong>snort.--id-subdir</strong>: create/use instance subdirectories in logdir instead of instance filename prefix
</p>
</li>
<li>
<p>
implied <strong>snort.--id-zero</strong>: use id prefix / subdirectory even with one packet thread
</p>
</li>
<li>
<p>
string <strong>snort.-i</strong>: &lt;iface&gt;&#8230; list of interfaces
</p>
</li>
<li>
<p>
string <strong>snort.--include-path</strong>: &lt;path&gt; where to find Lua and rule included files; searched before current or config directories
</p>
</li>
<li>
<p>
port <strong>snort.-j</strong>: &lt;port&gt; to listen for Telnet connections
</p>
</li>
<li>
<p>
enum <strong>snort.-k</strong> = all: &lt;mode&gt; checksum mode; default is all { all|noip|notcp|noudp|noicmp|none }
</p>
</li>
<li>
<p>
implied <strong>snort.--list-buffers</strong>: output available inspection buffers
</p>
</li>
<li>
<p>
string <strong>snort.--list-builtin</strong>: [&lt;module prefix&gt;] output matching builtin rules { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.--list-gids</strong>: [&lt;module prefix&gt;] output matching generators { (optional) }
</p>
</li>
<li>
<p>
string <strong>snort.--list-modules</strong>: [&lt;module type&gt;] list all known modules of given type { (optional) }
</p>
</li>
<li>
<p>
implied <strong>snort.--list-plugins</strong>: list all known plugins
</p>
</li>
<li>
<p>
string <strong>snort.-l</strong>: &lt;logdir&gt; log to this directory instead of current directory
</p>
</li>
<li>
<p>
string <strong>snort.-L</strong>: &lt;mode&gt; logging mode (none, dump, pcap, or log_*)
</p>
</li>
<li>
<p>
int <strong>snort.--logid</strong>: &lt;0xid&gt; log Identifier to uniquely id events for multiple snorts (same as -G) { 0:65535 }
</p>
</li>
<li>
<p>
string <strong>snort.--lua</strong>: &lt;chunk&gt; extend/override conf with chunk; may be repeated
</p>
</li>
<li>
<p>
implied <strong>snort.--markup</strong>: output help in asciidoc compatible format
</p>
</li>
<li>
<p>
int <strong>snort.--max-packet-threads</strong>: &lt;count&gt; configure maximum number of packet threads (same as -z) { 0:max32 }
</p>
</li>
<li>
<p>
implied <strong>snort.--mem-check</strong>: like -T but also compile search engines
</p>
</li>
<li>
<p>
implied <strong>snort.-M</strong>: log messages to syslog (not alerts)
</p>
</li>
<li>
<p>
int <strong>snort.-m</strong>: &lt;umask&gt; set the process file mode creation mask { 0x000:0x1FF }
</p>
</li>
<li>
<p>
int <strong>snort.-n</strong>: &lt;count&gt; stop after count packets { 0:max53 }
</p>
</li>
<li>
<p>
implied <strong>snort.--nolock-pidfile</strong>: do not try to lock Snort PID file
</p>
</li>
<li>
<p>
implied <strong>snort.--nostamps</strong>: don&#8217;t include timestamps in log file names
</p>
</li>
<li>
<p>
implied <strong>snort.-O</strong>: obfuscate the logged IP addresses
</p>
</li>
<li>
<p>
string <strong>snort.-?</strong>: &lt;option prefix&gt; output matching command line option quick help (same as --help-options) { (optional) }
</p>
</li>
<li>
<p>
implied <strong>snort.--pause</strong>: wait for resume/quit command before processing packets/terminating
</p>
</li>
<li>
<p>
string <strong>snort.--pcap-dir</strong>: &lt;dir&gt; a directory to recurse to look for pcaps - read mode is implied
</p>
</li>
<li>
<p>
string <strong>snort.--pcap-file</strong>: &lt;file&gt; file that contains a list of pcaps to read - read mode is implied
</p>
</li>
<li>
<p>
string <strong>snort.--pcap-filter</strong> = <strong>.*cap</strong>: &lt;filter&gt; filter to apply when getting pcaps from file or directory
</p>
</li>
<li>
<p>
string <strong>snort.--pcap-list</strong>: &lt;list&gt; a space separated list of pcaps to read - read mode is implied
</p>
</li>
<li>
<p>
int <strong>snort.--pcap-loop</strong>: &lt;count&gt; read all pcaps &lt;count&gt; times;  0 will read until Snort is terminated { 0:max32 }
</p>
</li>
<li>
<p>
implied <strong>snort.--pcap-no-filter</strong>: reset to use no filter when getting pcaps from file or directory
</p>
</li>
<li>
<p>
implied <strong>snort.--pcap-reload</strong>: if reading multiple pcaps, reload snort config between pcaps
</p>
</li>
<li>
<p>
implied <strong>snort.--pcap-show</strong>: print a line saying what pcap is currently being read
</p>
</li>
<li>
<p>
implied <strong>snort.--pedantic</strong>: warnings are fatal
</p>
</li>
<li>
<p>
string <strong>snort.--plugin-path</strong>: &lt;path&gt; where to find plugins
</p>
</li>
<li>
<p>
implied <strong>snort.--process-all-events</strong>: process all action groups
</p>
</li>
<li>
<p>
implied <strong>snort.-Q</strong>: enable inline mode operation
</p>
</li>
<li>
<p>
implied <strong>snort.-q</strong>: quiet mode - Don&#8217;t show banner and status report
</p>
</li>
<li>
<p>
string <strong>snort.-r</strong>: &lt;pcap&gt;&#8230; (same as --pcap-list)
</p>
</li>
<li>
<p>
string <strong>snort.-R</strong>: &lt;rules&gt; include this rules file in the default policy
</p>
</li>
<li>
<p>
string <strong>snort.--rule-path</strong>: &lt;path&gt; where to find rules files
</p>
</li>
<li>
<p>
string <strong>snort.--rule</strong>: &lt;rules&gt; to be added to configuration; may be repeated
</p>
</li>
<li>
<p>
implied <strong>snort.--rule-to-hex</strong>: output so rule header to stdout for text rule on stdin
</p>
</li>
<li>
<p>
string <strong>snort.--rule-to-text</strong>: output plain so rule header to stdout for text rule on stdin (specify delimiter or [Snort_SO_Rule] will be used) { 16 }
</p>
</li>
<li>
<p>
string <strong>snort.--run-prefix</strong>: &lt;pfx&gt; prepend this to each output file
</p>
</li>
<li>
<p>
int <strong>snort.-s</strong> = 1518: &lt;snap&gt; (same as --snaplen); default is 1518 { 68:65535 }
</p>
</li>
<li>
<p>
string <strong>snort.--script-path</strong>: &lt;path&gt; to a luajit script or directory containing luajit scripts
</p>
</li>
<li>
<p>
implied <strong>snort.--shell</strong>: enable the interactive command line
</p>
</li>
<li>
<p>
implied <strong>snort.--show-file-codes</strong>: indicate how files are located: A=absolute and W, F, C which are relative to the working directory, including file, and config file respectively
</p>
</li>
<li>
<p>
implied <strong>snort.--show-plugins</strong>: list module and plugin versions
</p>
</li>
<li>
<p>
int <strong>snort.--skip</strong>: &lt;n&gt; skip 1st n packets { 0:max53 }
</p>
</li>
<li>
<p>
int <strong>snort.--snaplen</strong> = 1518: &lt;snap&gt; set snaplen of packet (same as -s) { 68:65535 }
</p>
</li>
<li>
<p>
implied <strong>snort.--stdin-rules</strong>: read rules from stdin until EOF or a line starting with END is read
</p>
</li>
<li>
<p>
string <strong>snort.-S</strong>: &lt;x=v&gt; set config variable x equal to value v
</p>
</li>
<li>
<p>
implied <strong>snort.--talos</strong>: enable Talos tweak (same as --tweaks talos)
</p>
</li>
<li>
<p>
string <strong>snort.-t</strong>: &lt;dir&gt; chroots process to &lt;dir&gt; after initialization
</p>
</li>
<li>
<p>
int <strong>snort.trace</strong>: mask for enabling debug traces in module { 0:max53 }
</p>
</li>
<li>
<p>
implied <strong>snort.--trace</strong>: turn on main loop debug trace
</p>
</li>
<li>
<p>
implied <strong>snort.--treat-drop-as-alert</strong>: converts drop, block, and reset rules into alert rules when loaded
</p>
</li>
<li>
<p>
implied <strong>snort.--treat-drop-as-ignore</strong>: use drop, block, and reset rules to ignore session traffic when not inline
</p>
</li>
<li>
<p>
implied <strong>snort.-T</strong>: test and report on the current Snort configuration
</p>
</li>
<li>
<p>
string <strong>snort.--tweaks</strong>: tune configuration
</p>
</li>
<li>
<p>
string <strong>snort.-u</strong>: &lt;uname&gt; run snort as &lt;uname&gt; or &lt;uid&gt; after initialization
</p>
</li>
<li>
<p>
implied <strong>snort.-U</strong>: use UTC for timestamps
</p>
</li>
<li>
<p>
implied <strong>snort.-v</strong>: be verbose
</p>
</li>
<li>
<p>
implied <strong>snort.--version</strong>: show version number (same as -V)
</p>
</li>
<li>
<p>
implied <strong>snort.-V</strong>: (same as --version)
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-all</strong>: enable all warnings
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-conf</strong>: warn about configuration issues
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-daq</strong>: warn about DAQ issues, usually related to mode
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-flowbits</strong>: warn about flowbits that are checked but not set and vice-versa
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-hosts</strong>: warn about host table issues
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-plugins</strong>: warn about issues that prevent plugins from loading
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-rules</strong>: warn about duplicate rules and rule parsing issues
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-scripts</strong>: warn about issues discovered while processing Lua scripts
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-symbols</strong>: warn about unknown symbols in your Lua config
</p>
</li>
<li>
<p>
implied <strong>snort.--warn-vars</strong>: warn about variable definition and usage issues
</p>
</li>
<li>
<p>
int <strong>snort.--x2c</strong>: output ASCII char for given hex (see also --c2x) { 0x00:0xFF }
</p>
</li>
<li>
<p>
string <strong>snort.--x2s</strong>: output ASCII string for given byte code (see also --x2c)
</p>
</li>
<li>
<p>
implied <strong>snort.-X</strong>: dump the raw packet data starting at the link layer
</p>
</li>
<li>
<p>
implied <strong>snort.-x</strong>: same as --pedantic
</p>
</li>
<li>
<p>
implied <strong>snort.-y</strong>: include year in timestamp in the alert and log files
</p>
</li>
<li>
<p>
int <strong>snort.-z</strong>: &lt;count&gt; maximum number of packet threads (same as --max-packet-threads); 0 gets the number of CPU cores reported by the system; default is 1 { 0:max32 }
</p>
</li>
<li>
<p>
string <strong>so.~func</strong>: name of eval function
</p>
</li>
<li>
<p>
string <strong>soid.~</strong>: SO rule ID is unique key, eg &lt;gid&gt;_&lt;sid&gt;_&lt;rev&gt; like 3_45678_9
</p>
</li>
<li>
<p>
implied <strong>so.relative</strong>: offset from cursor instead of start of buffer
</p>
</li>
<li>
<p>
int <strong>ssh.max_client_bytes</strong> = 19600: number of unanswered bytes before alerting on challenge-response overflow or CRC32 { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>ssh.max_encrypted_packets</strong> = 25: ignore session after this many encrypted packets { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>ssh.max_server_version_len</strong> = 80: limit before alerting on secure CRT server version string overflow { 0:255 }
</p>
</li>
<li>
<p>
int <strong>ssl.max_heartbeat_length</strong> = 0: maximum length of heartbeat record allowed { 0:65535 }
</p>
</li>
<li>
<p>
implied <strong>ssl_state.client_hello</strong>: check for client hello
</p>
</li>
<li>
<p>
implied <strong>ssl_state.!client_hello</strong>: check for records that are not client hello
</p>
</li>
<li>
<p>
implied <strong>ssl_state.client_keyx</strong>: check for client keyx
</p>
</li>
<li>
<p>
implied <strong>ssl_state.!client_keyx</strong>: check for records that are not client keyx
</p>
</li>
<li>
<p>
implied <strong>ssl_state.!server_hello</strong>: check for records that are not server hello
</p>
</li>
<li>
<p>
implied <strong>ssl_state.server_hello</strong>: check for server hello
</p>
</li>
<li>
<p>
implied <strong>ssl_state.!server_keyx</strong>: check for records that are not server keyx
</p>
</li>
<li>
<p>
implied <strong>ssl_state.server_keyx</strong>: check for server keyx
</p>
</li>
<li>
<p>
implied <strong>ssl_state.!unknown</strong>: check for records that are not unknown
</p>
</li>
<li>
<p>
implied <strong>ssl_state.unknown</strong>: check for unknown record
</p>
</li>
<li>
<p>
bool <strong>ssl.trust_servers</strong> = false: disables requirement that application (encrypted) data must be observed on both sides
</p>
</li>
<li>
<p>
implied <strong>ssl_version.!sslv2</strong>: check for records that are not sslv2
</p>
</li>
<li>
<p>
implied <strong>ssl_version.sslv2</strong>: check for sslv2
</p>
</li>
<li>
<p>
implied <strong>ssl_version.!sslv3</strong>: check for records that are not sslv3
</p>
</li>
<li>
<p>
implied <strong>ssl_version.sslv3</strong>: check for sslv3
</p>
</li>
<li>
<p>
implied <strong>ssl_version.!tls1.0</strong>: check for records that are not tls1.0
</p>
</li>
<li>
<p>
implied <strong>ssl_version.tls1.0</strong>: check for tls1.0
</p>
</li>
<li>
<p>
implied <strong>ssl_version.!tls1.1</strong>: check for records that are not tls1.1
</p>
</li>
<li>
<p>
implied <strong>ssl_version.tls1.1</strong>: check for tls1.1
</p>
</li>
<li>
<p>
implied <strong>ssl_version.!tls1.2</strong>: check for records that are not tls1.2
</p>
</li>
<li>
<p>
implied <strong>ssl_version.tls1.2</strong>: check for tls1.2
</p>
</li>
<li>
<p>
int <strong>stream.file_cache.cap_weight</strong> = 32: additional bytes to track per flow for better estimation against cap { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }
</p>
</li>
<li>
<p>
bool <strong>stream_file.upload</strong> = false: indicate file transfer direction
</p>
</li>
<li>
<p>
int <strong>stream.footprint</strong> = 0: use zero for production, non-zero for testing at given size (for TCP and user) { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>stream.icmp_cache.cap_weight</strong> = 8: additional bytes to track per flow for better estimation against cap { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>stream_icmp.session_timeout</strong> = 30: session tracking timeout { 1:max31 }
</p>
</li>
<li>
<p>
int <strong>stream.ip_cache.cap_weight</strong> = 64: additional bytes to track per flow for better estimation against cap { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }
</p>
</li>
<li>
<p>
bool <strong>stream.ip_frags_only</strong> = false: don&#8217;t process non-frag flows
</p>
</li>
<li>
<p>
int <strong>stream_ip.max_frags</strong> = 8192: maximum number of simultaneous fragments being tracked { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>stream_ip.max_overlaps</strong> = 0: maximum allowed overlaps per datagram; 0 is unlimited { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>stream_ip.min_frag_length</strong> = 0: alert if fragment length is below this limit before or after trimming { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>stream_ip.min_ttl</strong> = 1: discard fragments with TTL below the minimum { 1:255 }
</p>
</li>
<li>
<p>
enum <strong>stream_ip.policy</strong> = linux: fragment reassembly policy { first | linux | bsd | bsd_right | last | windows | solaris }
</p>
</li>
<li>
<p>
int <strong>stream_ip.session_timeout</strong> = 30: session tracking timeout { 1:max31 }
</p>
</li>
<li>
<p>
int <strong>stream_ip.trace</strong>: mask for enabling debug traces in module { 0:max53 }
</p>
</li>
<li>
<p>
int <strong>stream.max_flows</strong> = 476288: maximum simultaneous flows tracked before pruning { 2:max32 }
</p>
</li>
<li>
<p>
int <strong>stream.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1:max32 }
</p>
</li>
<li>
<p>
enum <strong>stream_reassemble.action</strong>: stop or start stream reassembly { disable|enable }
</p>
</li>
<li>
<p>
enum <strong>stream_reassemble.direction</strong>: action applies to the given direction(s) { client|server|both }
</p>
</li>
<li>
<p>
implied <strong>stream_reassemble.fastpath</strong>: optionally whitelist the remainder of the session
</p>
</li>
<li>
<p>
implied <strong>stream_reassemble.noalert</strong>: don&#8217;t alert when rule matches
</p>
</li>
<li>
<p>
enum <strong>stream_size.~direction</strong>: compare applies to the given direction(s) { either|to_server|to_client|both }
</p>
</li>
<li>
<p>
interval <strong>stream_size.~range</strong>: check if the stream size is in the given range { 0: }
</p>
</li>
<li>
<p>
int <strong>stream.tcp_cache.cap_weight</strong> = 11500: additional bytes to track per flow for better estimation against cap { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>stream.tcp_cache.idle_timeout</strong> = 3600: maximum inactive time before retiring session tracker { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.flush_factor</strong> = 0: flush upon seeing a drop in segment size after given number of non-decreasing segments { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.max_pdu</strong> = 16384: maximum reassembled PDU size { 1460:32768 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.max_window</strong> = 0: maximum allowed TCP window { 0:1073725440 }
</p>
</li>
<li>
<p>
bool <strong>stream_tcp.no_ack</strong> = false: received data is implicitly acked immediately
</p>
</li>
<li>
<p>
int <strong>stream_tcp.overlap_limit</strong> = 0: maximum number of allowed overlapping segments per session { 0:max32 }
</p>
</li>
<li>
<p>
enum <strong>stream_tcp.policy</strong> = bsd: determines operating system characteristics like reassembly { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.queue_limit.max_bytes</strong> = 1048576: don&#8217;t queue more than given bytes per session and direction { 0:max32 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.queue_limit.max_segments</strong> = 2621: don&#8217;t queue more than given segments per session and direction { 0:max32 }
</p>
</li>
<li>
<p>
bool <strong>stream_tcp.reassemble_async</strong> = true: queue data for reassembly before traffic is seen in both directions
</p>
</li>
<li>
<p>
int <strong>stream_tcp.require_3whs</strong> = -1: don&#8217;t track midstream sessions after given seconds from start up; -1 tracks all { -1:max31 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.session_timeout</strong> = 30: session tracking timeout { 1:max31 }
</p>
</li>
<li>
<p>
bool <strong>stream_tcp.show_rebuilt_packets</strong> = false: enable cmg like output of reassembled packets
</p>
</li>
<li>
<p>
int <strong>stream_tcp.small_segments.count</strong> = 0: limit number of small segments queued { 0:2048 }
</p>
</li>
<li>
<p>
int <strong>stream_tcp.small_segments.maximum_size</strong> = 0: limit number of small segments queued { 0:2048 }
</p>
</li>
<li>
<p>
bool <strong>stream_tcp.track_only</strong> = false: disable reassembly if true
</p>
</li>
<li>
<p>
int <strong>stream.trace</strong>: mask for enabling debug traces in module { 0:max53 }
</p>
</li>
<li>
<p>
int <strong>stream.udp_cache.cap_weight</strong> = 128: additional bytes to track per flow for better estimation against cap { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>stream_udp.session_timeout</strong> = 30: session tracking timeout { 1:max31 }
</p>
</li>
<li>
<p>
int <strong>stream.user_cache.cap_weight</strong> = 256: additional bytes to track per flow for better estimation against cap { 0:65535 }
</p>
</li>
<li>
<p>
int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>stream_user.session_timeout</strong> = 30: session tracking timeout { 1:max31 }
</p>
</li>
<li>
<p>
int <strong>stream_user.trace</strong>: mask for enabling debug traces in module { 0:max53 }
</p>
</li>
<li>
<p>
int <strong><code>suppress[].gid</code></strong> = 0: rule generator ID { 0:max32 }
</p>
</li>
<li>
<p>
string <strong><code>suppress[].ip</code></strong>: restrict suppression to these addresses according to track
</p>
</li>
<li>
<p>
int <strong><code>suppress[].sid</code></strong> = 0: rule signature ID { 0:max32 }
</p>
</li>
<li>
<p>
enum <strong><code>suppress[].track</code></strong>: suppress only matching source or destination addresses { by_src | by_dst }
</p>
</li>
<li>
<p>
int <strong>tag.bytes</strong>: tag for this many bytes { 1:max32 }
</p>
</li>
<li>
<p>
enum <strong>tag.~</strong>: log all packets in session or all packets to or from host { session|host_src|host_dst }
</p>
</li>
<li>
<p>
int <strong>tag.packets</strong>: tag this many packets { 1:max32 }
</p>
</li>
<li>
<p>
int <strong>tag.seconds</strong>: tag for this many seconds { 1:max32 }
</p>
</li>
<li>
<p>
enum <strong>target.~</strong>: indicate the target of the attack { src_ip | dst_ip }
</p>
</li>
<li>
<p>
string <strong>tcp_connector.address</strong>: address
</p>
</li>
<li>
<p>
port <strong>tcp_connector.base_port</strong>: base port number
</p>
</li>
<li>
<p>
string <strong>tcp_connector.connector</strong>: connector name
</p>
</li>
<li>
<p>
enum <strong>tcp_connector.setup</strong>: stream establishment { call | answer }
</p>
</li>
<li>
<p>
int <strong>telnet.ayt_attack_thresh</strong> = -1: alert on this number of consecutive Telnet AYT commands { -1:max31 }
</p>
</li>
<li>
<p>
bool <strong>telnet.check_encrypted</strong> = false: check for end of encryption
</p>
</li>
<li>
<p>
bool <strong>telnet.encrypted_traffic</strong> = false: check for encrypted Telnet and FTP
</p>
</li>
<li>
<p>
bool <strong>telnet.normalize</strong> = false: eliminate escape sequences
</p>
</li>
<li>
<p>
interval <strong>tos.~range</strong>: check if IP TOS is in given range { 0:255 }
</p>
</li>
<li>
<p>
interval <strong>ttl.~range</strong>: check if IP TTL is in the given range { 0:255 }
</p>
</li>
<li>
<p>
bool <strong>udp.deep_teredo_inspection</strong> = false: look for Teredo on all UDP ports (default is only 3544)
</p>
</li>
<li>
<p>
bool <strong>udp.enable_gtp</strong> = false: decode GTP encapsulations
</p>
</li>
<li>
<p>
bit_list <strong>udp.gtp_ports</strong> = 2152 3386: set GTP ports { 65535 }
</p>
</li>
<li>
<p>
bool <strong>unified2.legacy_events</strong> = false: generate Snort 2.X style events for barnyard2 compatibility
</p>
</li>
<li>
<p>
int <strong>unified2.limit</strong> = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
</p>
</li>
<li>
<p>
bool <strong>unified2.nostamp</strong> = true: append file creation time to name (in Unix Epoch format)
</p>
</li>
<li>
<p>
interval <strong>urg.~range</strong>: check if tcp urgent offset is in given range { 0:65535 }
</p>
</li>
<li>
<p>
interval <strong>window.~range</strong>: check if TCP window size is in given range { 0:65535 }
</p>
</li>
<li>
<p>
multi <strong>wizard.curses</strong>: enable service identification based on internal algorithm { dce_smb | dce_udp | dce_tcp }
</p>
</li>
<li>
<p>
bool <strong><code>wizard.hexes[].client_first</code></strong> = true: which end initiates data transfer
</p>
</li>
<li>
<p>
select <strong><code>wizard.hexes[].proto</code></strong> = tcp: protocol to scan { tcp | udp }
</p>
</li>
<li>
<p>
string <strong><code>wizard.hexes[].service</code></strong>: name of service
</p>
</li>
<li>
<p>
string <strong><code>wizard.hexes[].to_client[].hex</code></strong>: sequence of data with wild chars (?)
</p>
</li>
<li>
<p>
string <strong><code>wizard.hexes[].to_server[].hex</code></strong>: sequence of data with wild chars (?)
</p>
</li>
<li>
<p>
bool <strong><code>wizard.spells[].client_first</code></strong> = true: which end initiates data transfer
</p>
</li>
<li>
<p>
select <strong><code>wizard.spells[].proto</code></strong> = tcp: protocol to scan { tcp | udp }
</p>
</li>
<li>
<p>
string <strong><code>wizard.spells[].service</code></strong>: name of service
</p>
</li>
<li>
<p>
string <strong><code>wizard.spells[].to_client[].spell</code></strong>: sequence of data with wild cards (*)
</p>
</li>
<li>
<p>
string <strong><code>wizard.spells[].to_server[].spell</code></strong>: sequence of data with wild cards (*)
</p>
</li>
<li>
<p>
interval <strong>wscale.~range</strong>: check if TCP window scale is in given range { 0:65535 }
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_counts">Counts</h3>
<div class="ulist"><ul>
<li>
<p>
<strong>active.injects</strong>: total crafted packets injected (sum)
</p>
</li>
<li>
<p>
<strong>appid.appid_unknown</strong>: count of sessions where appid could not be determined (sum)
</p>
</li>
<li>
<p>
<strong>appid.ignored_packets</strong>: count of packets ignored (sum)
</p>
</li>
<li>
<p>
<strong>appid.packets</strong>: count of packets received (sum)
</p>
</li>
<li>
<p>
<strong>appid.processed_packets</strong>: count of packets processed (sum)
</p>
</li>
<li>
<p>
<strong>appid.total_sessions</strong>: count of sessions created (sum)
</p>
</li>
<li>
<p>
<strong>arp_spoof.packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>back_orifice.packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>binder.allows</strong>: allow bindings (sum)
</p>
</li>
<li>
<p>
<strong>binder.blocks</strong>: block bindings (sum)
</p>
</li>
<li>
<p>
<strong>binder.inspects</strong>: inspect bindings (sum)
</p>
</li>
<li>
<p>
<strong>binder.packets</strong>: initial bindings (sum)
</p>
</li>
<li>
<p>
<strong>binder.resets</strong>: reset bindings (sum)
</p>
</li>
<li>
<p>
<strong>daq.allow</strong>: total allow verdicts (sum)
</p>
</li>
<li>
<p>
<strong>daq.analyzed</strong>: total packets analyzed from DAQ (sum)
</p>
</li>
<li>
<p>
<strong>daq.blacklist</strong>: total blacklist verdicts (sum)
</p>
</li>
<li>
<p>
<strong>daq.block</strong>: total block verdicts (sum)
</p>
</li>
<li>
<p>
<strong>daq.dropped</strong>: packets dropped (sum)
</p>
</li>
<li>
<p>
<strong>daq.filtered</strong>: packets filtered out (sum)
</p>
</li>
<li>
<p>
<strong>daq.idle</strong>: attempts to acquire from DAQ without available packets (sum)
</p>
</li>
<li>
<p>
<strong>daq.ignore</strong>: total ignore verdicts (sum)
</p>
</li>
<li>
<p>
<strong>daq.injected</strong>: active responses or replacements (sum)
</p>
</li>
<li>
<p>
<strong>daq.internal_blacklist</strong>: packets blacklisted internally due to lack of DAQ support (sum)
</p>
</li>
<li>
<p>
<strong>daq.internal_whitelist</strong>: packets whitelisted internally due to lack of DAQ support (sum)
</p>
</li>
<li>
<p>
<strong>daq.outstanding</strong>: packets unprocessed (sum)
</p>
</li>
<li>
<p>
<strong>daq.pcaps</strong>: total files and interfaces processed (max)
</p>
</li>
<li>
<p>
<strong>daq.received</strong>: total packets received from DAQ (sum)
</p>
</li>
<li>
<p>
<strong>daq.replace</strong>: total replace verdicts (sum)
</p>
</li>
<li>
<p>
<strong>daq.retries_discarded</strong>: messages discarded when purging the retry queue (sum)
</p>
</li>
<li>
<p>
<strong>daq.retries_dropped</strong>: messages dropped when overrunning the retry queue (sum)
</p>
</li>
<li>
<p>
<strong>daq.retries_processed</strong>: messages processed from the retry queue (sum)
</p>
</li>
<li>
<p>
<strong>daq.retries_queued</strong>: messages queued for retry (sum)
</p>
</li>
<li>
<p>
<strong>daq.retry</strong>: total retry verdicts (sum)
</p>
</li>
<li>
<p>
<strong>daq.rx_bytes</strong>: total bytes received (sum)
</p>
</li>
<li>
<p>
<strong>daq.skipped</strong>: packets skipped at startup (sum)
</p>
</li>
<li>
<p>
<strong>daq.whitelist</strong>: total whitelist verdicts (sum)
</p>
</li>
<li>
<p>
<strong>data_log.packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>dce_http_proxy.http_proxy_session_failures</strong>: failed http proxy sessions (sum)
</p>
</li>
<li>
<p>
<strong>dce_http_proxy.http_proxy_sessions</strong>: successful http proxy sessions (sum)
</p>
</li>
<li>
<p>
<strong>dce_http_server.http_server_session_failures</strong>: failed http server sessions (sum)
</p>
</li>
<li>
<p>
<strong>dce_http_server.http_server_sessions</strong>: successful http server sessions (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.alter_context_responses</strong>: total connection-oriented alter context responses (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.alter_contexts</strong>: total connection-oriented alter contexts (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.auth3s</strong>: total connection-oriented auth3s (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.bind_acks</strong>: total connection-oriented binds acks (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.bind_naks</strong>: total connection-oriented bind naks (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.binds</strong>: total connection-oriented binds (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.cancels</strong>: total connection-oriented cancels (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.client_frags_reassembled</strong>: total connection-oriented client fragments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.client_max_fragment_size</strong>: connection-oriented client maximum fragment size (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.client_min_fragment_size</strong>: connection-oriented client minimum fragment size (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.client_segs_reassembled</strong>: total connection-oriented client segments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.concurrent_sessions</strong>: total concurrent sessions (now)
</p>
</li>
<li>
<p>
<strong>dce_smb.events</strong>: total events (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.faults</strong>: total connection-oriented faults (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.files_processed</strong>: total smb files processed (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.ignored_bytes</strong>: total ignored bytes (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.max_concurrent_sessions</strong>: maximum concurrent sessions (max)
</p>
</li>
<li>
<p>
<strong>dce_smb.max_outstanding_requests</strong>: total smb maximum outstanding requests (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.ms_rpc_http_pdus</strong>: total connection-oriented MS requests to send RPC over HTTP (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.orphaned</strong>: total connection-oriented orphaned (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.other_requests</strong>: total connection-oriented other requests (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.other_responses</strong>: total connection-oriented other responses (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.packets</strong>: total smb packets (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.pdus</strong>: total connection-oriented PDUs (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.rejects</strong>: total connection-oriented rejects (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.request_fragments</strong>: total connection-oriented request fragments (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.requests</strong>: total connection-oriented requests (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.response_fragments</strong>: total connection-oriented response fragments (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.responses</strong>: total connection-oriented responses (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.server_frags_reassembled</strong>: total connection-oriented server fragments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.server_max_fragment_size</strong>: connection-oriented server maximum fragment size (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.server_min_fragment_size</strong>: connection-oriented server minimum fragment size (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.server_segs_reassembled</strong>: total connection-oriented server segments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.sessions</strong>: total smb sessions (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.shutdowns</strong>: total connection-oriented shutdowns (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.smb_client_segs_reassembled</strong>: total smb client segments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.smb_server_segs_reassembled</strong>: total smb server segments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.smbv2_close</strong>: total number of SMBv2 close packets seen (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.smbv2_create</strong>: total number of SMBv2 create packets seen (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.smbv2_read</strong>: total number of SMBv2 read packets seen (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.smbv2_set_info</strong>: total number of SMBv2 set info packets seen (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.smbv2_tree_connect</strong>: total number of SMBv2 tree connect packets seen (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.smbv2_tree_disconnect</strong>: total number of SMBv2 tree disconnect packets seen (sum)
</p>
</li>
<li>
<p>
<strong>dce_smb.smbv2_write</strong>: total number of SMBv2 write packets seen (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.alter_context_responses</strong>: total connection-oriented alter context responses (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.alter_contexts</strong>: total connection-oriented alter contexts (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.auth3s</strong>: total connection-oriented auth3s (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.bind_acks</strong>: total connection-oriented binds acks (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.bind_naks</strong>: total connection-oriented bind naks (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.binds</strong>: total connection-oriented binds (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.cancels</strong>: total connection-oriented cancels (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.client_frags_reassembled</strong>: total connection-oriented client fragments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.client_max_fragment_size</strong>: connection-oriented client maximum fragment size (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.client_min_fragment_size</strong>: connection-oriented client minimum fragment size (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.client_segs_reassembled</strong>: total connection-oriented client segments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.concurrent_sessions</strong>: total concurrent sessions (now)
</p>
</li>
<li>
<p>
<strong>dce_tcp.events</strong>: total events (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.faults</strong>: total connection-oriented faults (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.max_concurrent_sessions</strong>: maximum concurrent sessions (max)
</p>
</li>
<li>
<p>
<strong>dce_tcp.ms_rpc_http_pdus</strong>: total connection-oriented MS requests to send RPC over HTTP (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.orphaned</strong>: total connection-oriented orphaned (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.other_requests</strong>: total connection-oriented other requests (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.other_responses</strong>: total connection-oriented other responses (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.pdus</strong>: total connection-oriented PDUs (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.rejects</strong>: total connection-oriented rejects (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.request_fragments</strong>: total connection-oriented request fragments (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.requests</strong>: total connection-oriented requests (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.response_fragments</strong>: total connection-oriented response fragments (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.responses</strong>: total connection-oriented responses (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.server_frags_reassembled</strong>: total connection-oriented server fragments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.server_max_fragment_size</strong>: connection-oriented server maximum fragment size (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.server_min_fragment_size</strong>: connection-oriented server minimum fragment size (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.server_segs_reassembled</strong>: total connection-oriented server segments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.shutdowns</strong>: total connection-oriented shutdowns (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.tcp_packets</strong>: total tcp packets (sum)
</p>
</li>
<li>
<p>
<strong>dce_tcp.tcp_sessions</strong>: total tcp sessions (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.acks</strong>: total connection-less acks (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.cancel_acks</strong>: total connection-less cancel acks (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.cancels</strong>: total connection-less cancels (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.client_facks</strong>: total connection-less client facks (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.concurrent_sessions</strong>: total concurrent sessions (now)
</p>
</li>
<li>
<p>
<strong>dce_udp.events</strong>: total events (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.faults</strong>: total connection-less faults (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.fragments</strong>: total connection-less fragments (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.frags_reassembled</strong>: total connection-less fragments reassembled (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.max_concurrent_sessions</strong>: maximum concurrent sessions (max)
</p>
</li>
<li>
<p>
<strong>dce_udp.max_fragment_size</strong>: connection-less maximum fragment size (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.max_seqnum</strong>: max connection-less seqnum (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.no_calls</strong>: total connection-less no calls (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.other_requests</strong>: total connection-less other requests (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.other_responses</strong>: total connection-less other responses (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.ping</strong>: total connection-less ping (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.rejects</strong>: total connection-less rejects (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.requests</strong>: total connection-less requests (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.responses</strong>: total connection-less responses (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.server_facks</strong>: total connection-less server facks (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.udp_packets</strong>: total udp packets (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.udp_sessions</strong>: total udp sessions (sum)
</p>
</li>
<li>
<p>
<strong>dce_udp.working</strong>: total connection-less working (sum)
</p>
</li>
<li>
<p>
<strong>detection.alert_limit</strong>: events previously triggered on same PDU (sum)
</p>
</li>
<li>
<p>
<strong>detection.alerts</strong>: alerts not including IP reputation (sum)
</p>
</li>
<li>
<p>
<strong>detection.alt_searches</strong>: alt fast pattern searches in packet data (sum)
</p>
</li>
<li>
<p>
<strong>detection.analyzed</strong>: total packets processed (now)
</p>
</li>
<li>
<p>
<strong>detection.body_searches</strong>: fast pattern searches in body buffer (sum)
</p>
</li>
<li>
<p>
<strong>detection.context_stalls</strong>: times processing stalled to wait for an available context (sum)
</p>
</li>
<li>
<p>
<strong>detection.cooked_searches</strong>: fast pattern searches in cooked packet data (sum)
</p>
</li>
<li>
<p>
<strong>detection.event_limit</strong>: events filtered (sum)
</p>
</li>
<li>
<p>
<strong>detection.file_searches</strong>: fast pattern searches in file buffer (sum)
</p>
</li>
<li>
<p>
<strong>detection.hard_evals</strong>: non-fast pattern rule evaluations (sum)
</p>
</li>
<li>
<p>
<strong>detection.header_searches</strong>: fast pattern searches in header buffer (sum)
</p>
</li>
<li>
<p>
<strong>detection.key_searches</strong>: fast pattern searches in key buffer (sum)
</p>
</li>
<li>
<p>
<strong>detection.logged</strong>: logged packets (sum)
</p>
</li>
<li>
<p>
<strong>detection.log_limit</strong>: events queued but not logged (sum)
</p>
</li>
<li>
<p>
<strong>detection.match_limit</strong>: fast pattern matches not processed (sum)
</p>
</li>
<li>
<p>
<strong>detection.offload_busy</strong>: times offload was not available (sum)
</p>
</li>
<li>
<p>
<strong>detection.offload_failures</strong>: fast pattern offload search failures (sum)
</p>
</li>
<li>
<p>
<strong>detection.offload_fallback</strong>: fast pattern offload search fallback attempts (sum)
</p>
</li>
<li>
<p>
<strong>detection.offloads</strong>: fast pattern searches that were offloaded (sum)
</p>
</li>
<li>
<p>
<strong>detection.offload_suspends</strong>: fast pattern search suspends due to offload context chains (sum)
</p>
</li>
<li>
<p>
<strong>detection.onload_waits</strong>: times processing waited for onload to complete (sum)
</p>
</li>
<li>
<p>
<strong>detection.passed</strong>: passed packets (sum)
</p>
</li>
<li>
<p>
<strong>detection.pcre_error</strong>: total number of times pcre returns error (sum)
</p>
</li>
<li>
<p>
<strong>detection.pcre_match_limit</strong>: total number of times pcre hit the match limit (sum)
</p>
</li>
<li>
<p>
<strong>detection.pcre_recursion_limit</strong>: total number of times pcre hit the recursion limit (sum)
</p>
</li>
<li>
<p>
<strong>detection.pkt_searches</strong>: fast pattern searches in packet data (sum)
</p>
</li>
<li>
<p>
<strong>detection.queue_limit</strong>: events not queued because queue full (sum)
</p>
</li>
<li>
<p>
<strong>detection.raw_searches</strong>: fast pattern searches in raw packet data (sum)
</p>
</li>
<li>
<p>
<strong>detection.total_alerts</strong>: alerts including IP reputation (sum)
</p>
</li>
<li>
<p>
<strong>dnp3.concurrent_sessions</strong>: total concurrent dnp3 sessions (now)
</p>
</li>
<li>
<p>
<strong>dnp3.dnp3_application_pdus</strong>: total dnp3 application pdus (sum)
</p>
</li>
<li>
<p>
<strong>dnp3.dnp3_link_layer_frames</strong>: total dnp3 link layer frames (sum)
</p>
</li>
<li>
<p>
<strong>dnp3.max_concurrent_sessions</strong>: maximum concurrent dnp3 sessions (max)
</p>
</li>
<li>
<p>
<strong>dnp3.tcp_pdus</strong>: total tcp pdus (sum)
</p>
</li>
<li>
<p>
<strong>dnp3.total_packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>dnp3.udp_packets</strong>: total udp packets (sum)
</p>
</li>
<li>
<p>
<strong>dns.concurrent_sessions</strong>: total concurrent dns sessions (now)
</p>
</li>
<li>
<p>
<strong>dns.max_concurrent_sessions</strong>: maximum concurrent dns sessions (max)
</p>
</li>
<li>
<p>
<strong>dns.packets</strong>: total packets processed (sum)
</p>
</li>
<li>
<p>
<strong>dns.requests</strong>: total dns requests (sum)
</p>
</li>
<li>
<p>
<strong>dns.responses</strong>: total dns responses (sum)
</p>
</li>
<li>
<p>
<strong>domain_filter.checked</strong>: domains checked (sum)
</p>
</li>
<li>
<p>
<strong>domain_filter.filtered</strong>: domains filtered (sum)
</p>
</li>
<li>
<p>
<strong>dpx.packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>event_filter.no_memory_global</strong>: number of times event filter ran out of global memory (sum)
</p>
</li>
<li>
<p>
<strong>event_filter.no_memory_local</strong>: number of times event filter ran out of local memory (sum)
</p>
</li>
<li>
<p>
<strong>file_connector.messages</strong>: total messages (sum)
</p>
</li>
<li>
<p>
<strong>file_id.cache_failures</strong>: number of file cache add failures (sum)
</p>
</li>
<li>
<p>
<strong>file_id.total_file_data</strong>: number of file data bytes processed (sum)
</p>
</li>
<li>
<p>
<strong>file_id.total_files</strong>: number of files processed (sum)
</p>
</li>
<li>
<p>
<strong>file_log.total_events</strong>: total file events (sum)
</p>
</li>
<li>
<p>
<strong>finalize_packet.events</strong>: total events seen (sum)
</p>
</li>
<li>
<p>
<strong>finalize_packet.pdus</strong>: total PDUs seen (sum)
</p>
</li>
<li>
<p>
<strong>ftp_data.packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>ftp_server.concurrent_sessions</strong>: total concurrent FTP sessions (now)
</p>
</li>
<li>
<p>
<strong>ftp_server.max_concurrent_sessions</strong>: maximum concurrent FTP sessions (max)
</p>
</li>
<li>
<p>
<strong>ftp_server.total_packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>gtp_inspect.concurrent_sessions</strong>: total concurrent gtp sessions (now)
</p>
</li>
<li>
<p>
<strong>gtp_inspect.events</strong>: requests (sum)
</p>
</li>
<li>
<p>
<strong>gtp_inspect.max_concurrent_sessions</strong>: maximum concurrent gtp sessions (max)
</p>
</li>
<li>
<p>
<strong>gtp_inspect.sessions</strong>: total sessions processed (sum)
</p>
</li>
<li>
<p>
<strong>gtp_inspect.unknown_infos</strong>: unknown information elements (sum)
</p>
</li>
<li>
<p>
<strong>gtp_inspect.unknown_types</strong>: unknown message types (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.client_consume_errors</strong>: client data consume failure count (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.daq_imports</strong>: states imported via daq (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.daq_stores</strong>: states stored via daq (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.delete_msgs_consumed</strong>: deletion messages consumed (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.msg_length_mismatch</strong>: messages received with an inconsistent total length (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.msgs_recv</strong>: total messages received (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.msg_version_mismatch</strong>: messages received with a version mismatch (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.truncated_msgs</strong>: truncated messages received (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.unknown_client_idx</strong>: messages received with an unknown client index (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.unknown_key_type</strong>: messages received with an unknown flow key type (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.update_msgs_consumed</strong>: update messages fully consumed (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.update_msgs_recv_no_flow</strong>: update messages received without a local flow (sum)
</p>
</li>
<li>
<p>
<strong>high_availability.update_msgs_recv</strong>: update messages received (sum)
</p>
</li>
<li>
<p>
<strong>host_cache.lru_cache_adds</strong>: lru cache added new entry (sum)
</p>
</li>
<li>
<p>
<strong>host_cache.lru_cache_find_hits</strong>: lru cache found entry in cache (sum)
</p>
</li>
<li>
<p>
<strong>host_cache.lru_cache_find_misses</strong>: lru cache did not find entry in cache (sum)
</p>
</li>
<li>
<p>
<strong>host_cache.lru_cache_prunes</strong>: lru cache pruned entry to make space for new entry (sum)
</p>
</li>
<li>
<p>
<strong>host_cache.lru_cache_removes</strong>: lru cache found entry and removed it (sum)
</p>
</li>
<li>
<p>
<strong>host_tracker.service_adds</strong>: host service adds (sum)
</p>
</li>
<li>
<p>
<strong>host_tracker.service_finds</strong>: host service finds (sum)
</p>
</li>
<li>
<p>
<strong>http2_inspect.concurrent_sessions</strong>: total concurrent HTTP/2 sessions (now)
</p>
</li>
<li>
<p>
<strong>http2_inspect.flows</strong>: HTTP connections inspected (sum)
</p>
</li>
<li>
<p>
<strong>http2_inspect.max_concurrent_sessions</strong>: maximum concurrent HTTP/2 sessions (max)
</p>
</li>
<li>
<p>
<strong>http_inspect.chunked</strong>: chunked message bodies (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.concurrent_sessions</strong>: total concurrent http sessions (now)
</p>
</li>
<li>
<p>
<strong>http_inspect.connect_requests</strong>: CONNECT requests inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.delete_requests</strong>: DELETE requests inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.detained_packets</strong>: TCP packets delayed by accelerated blocking (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.flows</strong>: HTTP connections inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.get_requests</strong>: GET requests inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.head_requests</strong>: HEAD requests inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.inspections</strong>: total message sections inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.max_concurrent_sessions</strong>: maximum concurrent http sessions (max)
</p>
</li>
<li>
<p>
<strong>http_inspect.options_requests</strong>: OPTIONS requests inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.other_requests</strong>: other request methods inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.partial_inspections</strong>: pre-inspections for accelerated blocking (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.post_requests</strong>: POST requests inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.put_requests</strong>: PUT requests inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.reassembles</strong>: TCP segments combined into HTTP messages (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.request_bodies</strong>: POST, PUT, and other requests with message bodies (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.requests</strong>: HTTP request messages inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.responses</strong>: HTTP response messages inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.scans</strong>: TCP segments scanned looking for HTTP messages (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.trace_requests</strong>: TRACE requests inspected (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.uri_coding</strong>: URIs with character coding problems (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.uri_normalizations</strong>: URIs needing to be normalization (sum)
</p>
</li>
<li>
<p>
<strong>http_inspect.uri_path</strong>: URIs with path problems (sum)
</p>
</li>
<li>
<p>
<strong>icmp4.bad_checksum</strong>: non-zero icmp checksums (sum)
</p>
</li>
<li>
<p>
<strong>icmp6.bad_icmp6_checksum</strong>: nonzero icmp6 checksums (sum)
</p>
</li>
<li>
<p>
<strong>imap.b64_attachments</strong>: total base64 attachments decoded (sum)
</p>
</li>
<li>
<p>
<strong>imap.b64_decoded_bytes</strong>: total base64 decoded bytes (sum)
</p>
</li>
<li>
<p>
<strong>imap.concurrent_sessions</strong>: total concurrent imap sessions (now)
</p>
</li>
<li>
<p>
<strong>imap.max_concurrent_sessions</strong>: maximum concurrent imap sessions (max)
</p>
</li>
<li>
<p>
<strong>imap.non_encoded_attachments</strong>: total non-encoded attachments extracted (sum)
</p>
</li>
<li>
<p>
<strong>imap.non_encoded_bytes</strong>: total non-encoded extracted bytes (sum)
</p>
</li>
<li>
<p>
<strong>imap.packets</strong>: total packets processed (sum)
</p>
</li>
<li>
<p>
<strong>imap.qp_attachments</strong>: total quoted-printable attachments decoded (sum)
</p>
</li>
<li>
<p>
<strong>imap.qp_decoded_bytes</strong>: total quoted-printable decoded bytes (sum)
</p>
</li>
<li>
<p>
<strong>imap.sessions</strong>: total imap sessions (sum)
</p>
</li>
<li>
<p>
<strong>imap.uu_attachments</strong>: total uu attachments decoded (sum)
</p>
</li>
<li>
<p>
<strong>imap.uu_decoded_bytes</strong>: total uu decoded bytes (sum)
</p>
</li>
<li>
<p>
<strong>ipv4.bad_checksum</strong>: nonzero ip checksums (sum)
</p>
</li>
<li>
<p>
<strong>latency.max_usecs</strong>: maximum usecs elapsed (sum)
</p>
</li>
<li>
<p>
<strong>latency.packet_timeouts</strong>: packets that timed out (sum)
</p>
</li>
<li>
<p>
<strong>latency.rule_eval_timeouts</strong>: rule evals that timed out (sum)
</p>
</li>
<li>
<p>
<strong>latency.rule_tree_enables</strong>: rule tree re-enables (sum)
</p>
</li>
<li>
<p>
<strong>latency.total_packets</strong>: total packets monitored (sum)
</p>
</li>
<li>
<p>
<strong>latency.total_rule_evals</strong>: total rule evals monitored (sum)
</p>
</li>
<li>
<p>
<strong>latency.total_usecs</strong>: total usecs elapsed (sum)
</p>
</li>
<li>
<p>
<strong>memory.allocated</strong>: total amount of memory allocated (now)
</p>
</li>
<li>
<p>
<strong>memory.allocations</strong>: total number of allocations (now)
</p>
</li>
<li>
<p>
<strong>memory.deallocated</strong>: total amount of memory allocated (now)
</p>
</li>
<li>
<p>
<strong>memory.deallocations</strong>: total number of deallocations (now)
</p>
</li>
<li>
<p>
<strong>memory.max_in_use</strong>: highest allocated - deallocated (max)
</p>
</li>
<li>
<p>
<strong>memory.reap_attempts</strong>: attempts to reclaim memory (now)
</p>
</li>
<li>
<p>
<strong>memory.reap_failures</strong>: failures to reclaim memory (now)
</p>
</li>
<li>
<p>
<strong>memory.total_fudge</strong>: sum of all adjustments (now)
</p>
</li>
<li>
<p>
<strong>mem_test.packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>modbus.concurrent_sessions</strong>: total concurrent modbus sessions (now)
</p>
</li>
<li>
<p>
<strong>modbus.frames</strong>: total Modbus messages (sum)
</p>
</li>
<li>
<p>
<strong>modbus.max_concurrent_sessions</strong>: maximum concurrent modbus sessions (max)
</p>
</li>
<li>
<p>
<strong>modbus.sessions</strong>: total sessions processed (sum)
</p>
</li>
<li>
<p>
<strong>mpls.total_bytes</strong>: total mpls labeled bytes processed (sum)
</p>
</li>
<li>
<p>
<strong>mpls.total_packets</strong>: total mpls labeled packets processed (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.icmp4_echo</strong>: icmp4 ping normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.icmp6_echo</strong>: icmp6 echo normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.ip4_df</strong>: don&#8217;t frag bit normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.ip4_opts</strong>: ip4 options cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.ip4_rf</strong>: reserved flag bit clears (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.ip4_tos</strong>: type of service normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.ip4_trim</strong>: eth packets trimmed to datagram size (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.ip4_ttl</strong>: time-to-live normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.ip6_hops</strong>: ip6 hop limit normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.ip6_options</strong>: ip6 options cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_block</strong>: blocked segments (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_ecn_pkt</strong>: packets with ECN bits cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_ecn_session</strong>: ECN bits cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_ips_data</strong>: normalized segments (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_nonce</strong>: packets with nonce bit cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_options</strong>: packets with options cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_padding</strong>: packets with padding cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_req_pay</strong>: cleared urgent pointer and urgent flag when there is no payload (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_req_urg</strong>: cleared urgent pointer when urgent flag is not set (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_req_urp</strong>: cleared the urgent flag if the urgent pointer is not set (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_reserved</strong>: packets with reserved bits cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_syn_options</strong>: SYN only options cleared from non-SYN packets (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_trim_mss</strong>: data trimmed to MSS (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_trim_rst</strong>: RST packets with data trimmed (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_trim_syn</strong>: tcp segments trimmed on SYN (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_trim_win</strong>: data trimmed to window (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_ts_ecr</strong>: timestamp cleared on non-ACKs (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_ts_nop</strong>: timestamp options cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.tcp_urgent_ptr</strong>: packets without data with urgent pointer cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_icmp4_echo</strong>: test icmp4 ping normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_icmp6_echo</strong>: test icmp6 echo normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_ip4_df</strong>: test don&#8217;t frag bit normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_ip4_opts</strong>: test ip4 options cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_ip4_rf</strong>: test reserved flag bit clears (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_ip4_tos</strong>: test type of service normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_ip4_trim</strong>: test eth packets trimmed to datagram size (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_ip4_ttl</strong>: test time-to-live normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_ip6_hops</strong>: test ip6 hop limit normalizations (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_ip6_options</strong>: test ip6 options cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_block</strong>: test blocked segments (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_ecn_pkt</strong>: test packets with ECN bits cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_ecn_session</strong>: test ECN bits cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_ips_data</strong>: test normalized segments (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_nonce</strong>: test packets with nonce bit cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_options</strong>: test packets with options cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_padding</strong>: test packets with padding cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_req_pay</strong>: test cleared urgent pointer and urgent flag when there is no payload (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_req_urg</strong>: test cleared urgent pointer when urgent flag is not set (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_req_urp</strong>: test cleared the urgent flag if the urgent pointer is not set (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_reserved</strong>: test packets with reserved bits cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_syn_options</strong>: test SYN only options cleared from non-SYN packets (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_trim_mss</strong>: test data trimmed to MSS (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_trim_rst</strong>: test RST packets with data trimmed (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_trim_syn</strong>: test tcp segments trimmed on SYN (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_trim_win</strong>: test data trimmed to window (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_ts_ecr</strong>: test timestamp cleared on non-ACKs (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_ts_nop</strong>: test timestamp options cleared (sum)
</p>
</li>
<li>
<p>
<strong>normalizer.test_tcp_urgent_ptr</strong>: test packets without data with urgent pointer cleared (sum)
</p>
</li>
<li>
<p>
<strong>packet_capture.captured</strong>: packets matching dumped after matching filter (sum)
</p>
</li>
<li>
<p>
<strong>packet_capture.processed</strong>: packets processed against filter (sum)
</p>
</li>
<li>
<p>
<strong>perf_monitor.packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>pop.b64_attachments</strong>: total base64 attachments decoded (sum)
</p>
</li>
<li>
<p>
<strong>pop.b64_decoded_bytes</strong>: total base64 decoded bytes (sum)
</p>
</li>
<li>
<p>
<strong>pop.concurrent_sessions</strong>: total concurrent pop sessions (now)
</p>
</li>
<li>
<p>
<strong>pop.max_concurrent_sessions</strong>: maximum concurrent pop sessions (max)
</p>
</li>
<li>
<p>
<strong>pop.non_encoded_attachments</strong>: total non-encoded attachments extracted (sum)
</p>
</li>
<li>
<p>
<strong>pop.non_encoded_bytes</strong>: total non-encoded extracted bytes (sum)
</p>
</li>
<li>
<p>
<strong>pop.packets</strong>: total packets processed (sum)
</p>
</li>
<li>
<p>
<strong>pop.qp_attachments</strong>: total quoted-printable attachments decoded (sum)
</p>
</li>
<li>
<p>
<strong>pop.qp_decoded_bytes</strong>: total quoted-printable decoded bytes (sum)
</p>
</li>
<li>
<p>
<strong>pop.sessions</strong>: total pop sessions (sum)
</p>
</li>
<li>
<p>
<strong>pop.uu_attachments</strong>: total uu attachments decoded (sum)
</p>
</li>
<li>
<p>
<strong>pop.uu_decoded_bytes</strong>: total uu decoded bytes (sum)
</p>
</li>
<li>
<p>
<strong>port_scan.packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>rate_filter.no_memory</strong>: number of times rate filter ran out of memory (sum)
</p>
</li>
<li>
<p>
<strong>reputation.blacklisted</strong>: number of packets blacklisted (sum)
</p>
</li>
<li>
<p>
<strong>reputation.memory_allocated</strong>: total memory allocated (sum)
</p>
</li>
<li>
<p>
<strong>reputation.monitored</strong>: number of packets monitored (sum)
</p>
</li>
<li>
<p>
<strong>reputation.packets</strong>: total packets processed (sum)
</p>
</li>
<li>
<p>
<strong>reputation.whitelisted</strong>: number of packets whitelisted (sum)
</p>
</li>
<li>
<p>
<strong>rna.change_host_update</strong>: count number of change host update events (sum)
</p>
</li>
<li>
<p>
<strong>rna.icmp_bidirectional</strong>: count of bidirectional ICMP flows received (sum)
</p>
</li>
<li>
<p>
<strong>rna.icmp_new</strong>: count of new ICMP flows received (sum)
</p>
</li>
<li>
<p>
<strong>rna.ip_bidirectional</strong>: count of bidirectional IP received (sum)
</p>
</li>
<li>
<p>
<strong>rna.ip_new</strong>: count of new IP flows received (sum)
</p>
</li>
<li>
<p>
<strong>rna.other_packets</strong>: count of packets received without session tracking (sum)
</p>
</li>
<li>
<p>
<strong>rna.tcp_midstream</strong>: count of TCP midstream packets received (sum)
</p>
</li>
<li>
<p>
<strong>rna.tcp_syn_ack</strong>: count of TCP SYN-ACK packets received (sum)
</p>
</li>
<li>
<p>
<strong>rna.tcp_syn</strong>: count of TCP SYN packets received (sum)
</p>
</li>
<li>
<p>
<strong>rna.udp_bidirectional</strong>: count of bidirectional UDP flows received (sum)
</p>
</li>
<li>
<p>
<strong>rna.udp_new</strong>: count of new UDP flows received (sum)
</p>
</li>
<li>
<p>
<strong>rpc_decode.concurrent_sessions</strong>: total concurrent rpc sessions (now)
</p>
</li>
<li>
<p>
<strong>rpc_decode.max_concurrent_sessions</strong>: maximum concurrent rpc sessions (max)
</p>
</li>
<li>
<p>
<strong>rpc_decode.total_packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>rt_global.packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>rt_packet.packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>rt_packet.retry_packets</strong>: total retried packets received (sum)
</p>
</li>
<li>
<p>
<strong>rt_packet.retry_requests</strong>: total retry packets requested (sum)
</p>
</li>
<li>
<p>
<strong>rt_service.flush_requests</strong>: total splitter flush requests (sum)
</p>
</li>
<li>
<p>
<strong>rt_service.hold_requests</strong>: total splitter hold requests (sum)
</p>
</li>
<li>
<p>
<strong>rt_service.packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>rt_service.search_requests</strong>: total splitter search requests (sum)
</p>
</li>
<li>
<p>
<strong>sd_pattern.below_threshold</strong>: sd_pattern matched but missed threshold (sum)
</p>
</li>
<li>
<p>
<strong>sd_pattern.pattern_not_found</strong>: sd_pattern did not not match (sum)
</p>
</li>
<li>
<p>
<strong>sd_pattern.terminated</strong>: hyperscan terminated (sum)
</p>
</li>
<li>
<p>
<strong>search_engine.max_queued</strong>: maximum fast pattern matches queued for further evaluation (sum)
</p>
</li>
<li>
<p>
<strong>search_engine.non_qualified_events</strong>: total non-qualified events (sum)
</p>
</li>
<li>
<p>
<strong>search_engine.qualified_events</strong>: total qualified events (sum)
</p>
</li>
<li>
<p>
<strong>search_engine.searched_bytes</strong>: total bytes searched (sum)
</p>
</li>
<li>
<p>
<strong>search_engine.total_flushed</strong>: fast pattern matches discarded due to overflow (sum)
</p>
</li>
<li>
<p>
<strong>search_engine.total_inserts</strong>: total fast pattern hits (sum)
</p>
</li>
<li>
<p>
<strong>search_engine.total_unique</strong>: total unique fast pattern hits (sum)
</p>
</li>
<li>
<p>
<strong>side_channel.packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>sip.ack</strong>: ack (sum)
</p>
</li>
<li>
<p>
<strong>sip.bye</strong>: bye (sum)
</p>
</li>
<li>
<p>
<strong>sip.cancel</strong>: cancel (sum)
</p>
</li>
<li>
<p>
<strong>sip.code_1xx</strong>: 1xx (sum)
</p>
</li>
<li>
<p>
<strong>sip.code_2xx</strong>: 2xx (sum)
</p>
</li>
<li>
<p>
<strong>sip.code_3xx</strong>: 3xx (sum)
</p>
</li>
<li>
<p>
<strong>sip.code_4xx</strong>: 4xx (sum)
</p>
</li>
<li>
<p>
<strong>sip.code_5xx</strong>: 5xx (sum)
</p>
</li>
<li>
<p>
<strong>sip.code_6xx</strong>: 6xx (sum)
</p>
</li>
<li>
<p>
<strong>sip.code_7xx</strong>: 7xx (sum)
</p>
</li>
<li>
<p>
<strong>sip.code_8xx</strong>: 8xx (sum)
</p>
</li>
<li>
<p>
<strong>sip.code_9xx</strong>: 9xx (sum)
</p>
</li>
<li>
<p>
<strong>sip.concurrent_sessions</strong>: total concurrent SIP sessions (now)
</p>
</li>
<li>
<p>
<strong>sip.dialogs</strong>: total dialogs (sum)
</p>
</li>
<li>
<p>
<strong>sip.events</strong>: events generated (sum)
</p>
</li>
<li>
<p>
<strong>sip.ignored_channels</strong>: total channels ignored (sum)
</p>
</li>
<li>
<p>
<strong>sip.ignored_sessions</strong>: total sessions ignored (sum)
</p>
</li>
<li>
<p>
<strong>sip.info</strong>: info (sum)
</p>
</li>
<li>
<p>
<strong>sip.invite</strong>: invite (sum)
</p>
</li>
<li>
<p>
<strong>sip.join</strong>: join (sum)
</p>
</li>
<li>
<p>
<strong>sip.max_concurrent_sessions</strong>: maximum concurrent SIP sessions (max)
</p>
</li>
<li>
<p>
<strong>sip.message</strong>: message (sum)
</p>
</li>
<li>
<p>
<strong>sip.notify</strong>: notify (sum)
</p>
</li>
<li>
<p>
<strong>sip.options</strong>: options (sum)
</p>
</li>
<li>
<p>
<strong>sip.packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>sip.prack</strong>: prack (sum)
</p>
</li>
<li>
<p>
<strong>sip.refer</strong>: refer (sum)
</p>
</li>
<li>
<p>
<strong>sip.register</strong>: register (sum)
</p>
</li>
<li>
<p>
<strong>sip.sessions</strong>: total sessions (sum)
</p>
</li>
<li>
<p>
<strong>sip.subscribe</strong>: subscribe (sum)
</p>
</li>
<li>
<p>
<strong>sip.total_requests</strong>: total requests (sum)
</p>
</li>
<li>
<p>
<strong>sip.total_responses</strong>: total responses (sum)
</p>
</li>
<li>
<p>
<strong>sip.update</strong>: update (sum)
</p>
</li>
<li>
<p>
<strong>smtp.b64_attachments</strong>: total base64 attachments decoded (sum)
</p>
</li>
<li>
<p>
<strong>smtp.b64_decoded_bytes</strong>: total base64 decoded bytes (sum)
</p>
</li>
<li>
<p>
<strong>smtp.concurrent_sessions</strong>: total concurrent smtp sessions (now)
</p>
</li>
<li>
<p>
<strong>smtp.max_concurrent_sessions</strong>: maximum concurrent smtp sessions (max)
</p>
</li>
<li>
<p>
<strong>smtp.non_encoded_attachments</strong>: total non-encoded attachments extracted (sum)
</p>
</li>
<li>
<p>
<strong>smtp.non_encoded_bytes</strong>: total non-encoded extracted bytes (sum)
</p>
</li>
<li>
<p>
<strong>smtp.packets</strong>: total packets processed (sum)
</p>
</li>
<li>
<p>
<strong>smtp.qp_attachments</strong>: total quoted-printable attachments decoded (sum)
</p>
</li>
<li>
<p>
<strong>smtp.qp_decoded_bytes</strong>: total quoted-printable decoded bytes (sum)
</p>
</li>
<li>
<p>
<strong>smtp.sessions</strong>: total smtp sessions (sum)
</p>
</li>
<li>
<p>
<strong>smtp.uu_attachments</strong>: total uu attachments decoded (sum)
</p>
</li>
<li>
<p>
<strong>smtp.uu_decoded_bytes</strong>: total uu decoded bytes (sum)
</p>
</li>
<li>
<p>
<strong>snort.attribute_table_hosts</strong>: total number of hosts in table (sum)
</p>
</li>
<li>
<p>
<strong>snort.attribute_table_reloads</strong>: number of times hosts table was reloaded (sum)
</p>
</li>
<li>
<p>
<strong>snort.conf_reloads</strong>: number of times configuration was reloaded (sum)
</p>
</li>
<li>
<p>
<strong>snort.daq_reloads</strong>: number of times daq configuration was reloaded (sum)
</p>
</li>
<li>
<p>
<strong>snort.inspector_deletions</strong>: number of times inspectors were deleted (sum)
</p>
</li>
<li>
<p>
<strong>snort.local_commands</strong>: total local commands processed (sum)
</p>
</li>
<li>
<p>
<strong>snort.policy_reloads</strong>: number of times policies were reloaded (sum)
</p>
</li>
<li>
<p>
<strong>snort.remote_commands</strong>: total remote commands processed (sum)
</p>
</li>
<li>
<p>
<strong>snort.signals</strong>: total signals processed (sum)
</p>
</li>
<li>
<p>
<strong>ssh.concurrent_sessions</strong>: total concurrent ssh sessions (now)
</p>
</li>
<li>
<p>
<strong>ssh.max_concurrent_sessions</strong>: maximum concurrent ssh sessions (max)
</p>
</li>
<li>
<p>
<strong>ssh.packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>ssl.alert</strong>: total ssl alert records (sum)
</p>
</li>
<li>
<p>
<strong>ssl.bad_handshakes</strong>: total bad handshakes (sum)
</p>
</li>
<li>
<p>
<strong>ssl.certificate</strong>: total ssl certificates (sum)
</p>
</li>
<li>
<p>
<strong>ssl.change_cipher</strong>: total change cipher records (sum)
</p>
</li>
<li>
<p>
<strong>ssl.client_application</strong>: total client application records (sum)
</p>
</li>
<li>
<p>
<strong>ssl.client_hello</strong>: total client hellos (sum)
</p>
</li>
<li>
<p>
<strong>ssl.client_key_exchange</strong>: total client key exchanges (sum)
</p>
</li>
<li>
<p>
<strong>ssl.concurrent_sessions</strong>: total concurrent ssl sessions (now)
</p>
</li>
<li>
<p>
<strong>ssl.decoded</strong>: ssl packets decoded (sum)
</p>
</li>
<li>
<p>
<strong>ssl.detection_disabled</strong>: total detection disabled (sum)
</p>
</li>
<li>
<p>
<strong>ssl.finished</strong>: total handshakes finished (sum)
</p>
</li>
<li>
<p>
<strong>ssl.handshakes_completed</strong>: total completed ssl handshakes (sum)
</p>
</li>
<li>
<p>
<strong>ssl.max_concurrent_sessions</strong>: maximum concurrent ssl sessions (max)
</p>
</li>
<li>
<p>
<strong>ssl.packets</strong>: total packets processed (sum)
</p>
</li>
<li>
<p>
<strong>ssl.server_application</strong>: total server application records (sum)
</p>
</li>
<li>
<p>
<strong>ssl.server_done</strong>: total server done (sum)
</p>
</li>
<li>
<p>
<strong>ssl.server_hello</strong>: total server hellos (sum)
</p>
</li>
<li>
<p>
<strong>ssl.server_key_exchange</strong>: total server key exchanges (sum)
</p>
</li>
<li>
<p>
<strong>ssl.sessions_ignored</strong>: total sessions ignore (sum)
</p>
</li>
<li>
<p>
<strong>ssl.unrecognized_records</strong>: total unrecognized records (sum)
</p>
</li>
<li>
<p>
<strong>stream.excess_prunes</strong>: sessions pruned due to excess (sum)
</p>
</li>
<li>
<p>
<strong>stream.flows</strong>: total sessions (sum)
</p>
</li>
<li>
<p>
<strong>stream.ha_prunes</strong>: sessions pruned by high availability sync (sum)
</p>
</li>
<li>
<p>
<strong>stream_icmp.created</strong>: icmp session trackers created (sum)
</p>
</li>
<li>
<p>
<strong>stream_icmp.max</strong>: max icmp sessions (max)
</p>
</li>
<li>
<p>
<strong>stream_icmp.prunes</strong>: icmp session prunes (sum)
</p>
</li>
<li>
<p>
<strong>stream_icmp.released</strong>: icmp session trackers released (sum)
</p>
</li>
<li>
<p>
<strong>stream_icmp.sessions</strong>: total icmp sessions (sum)
</p>
</li>
<li>
<p>
<strong>stream_icmp.timeouts</strong>: icmp session timeouts (sum)
</p>
</li>
<li>
<p>
<strong>stream.idle_prunes</strong>:  sessions pruned due to timeout (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.alerts</strong>: alerts generated (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.anomalies</strong>: anomalies detected (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.created</strong>: ip session trackers created (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.current_frags</strong>: current fragments (now)
</p>
</li>
<li>
<p>
<strong>stream_ip.discards</strong>: fragments discarded (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.drops</strong>: fragments dropped (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.fragmented_bytes</strong>: total fragmented bytes (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.frag_timeouts</strong>: datagrams abandoned (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.max_frags</strong>: max fragments (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.max</strong>: max ip sessions (max)
</p>
</li>
<li>
<p>
<strong>stream_ip.nodes_deleted</strong>: fragments deleted from tracker (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.nodes_inserted</strong>: fragments added to tracker (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.overlaps</strong>: overlapping fragments (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.prunes</strong>: ip session prunes (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.reassembled_bytes</strong>: total reassembled bytes (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.reassembled</strong>: reassembled datagrams (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.released</strong>: ip session trackers released (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.sessions</strong>: total ip sessions (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.timeouts</strong>: ip session timeouts (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.total_frags</strong>: total fragments (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.trackers_added</strong>: datagram trackers created (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.trackers_cleared</strong>: datagram trackers cleared (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.trackers_completed</strong>: datagram trackers completed (sum)
</p>
</li>
<li>
<p>
<strong>stream_ip.trackers_freed</strong>: datagram trackers released (sum)
</p>
</li>
<li>
<p>
<strong>stream.memcap_prunes</strong>: sessions pruned due to memcap (sum)
</p>
</li>
<li>
<p>
<strong>stream.preemptive_prunes</strong>: sessions pruned during preemptive pruning (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.client_cleanups</strong>: number of times data from server was flushed when session released (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.closing</strong>: number of sessions currently closing (now)
</p>
</li>
<li>
<p>
<strong>stream_tcp.created</strong>: tcp session trackers created (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.cur_packets_held</strong>: number of packets currently held (now)
</p>
</li>
<li>
<p>
<strong>stream_tcp.data_trackers</strong>: tcp session tracking started on data (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.discards</strong>: tcp packets discarded (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.established</strong>: number of sessions currently established (now)
</p>
</li>
<li>
<p>
<strong>stream_tcp.events</strong>: events generated (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.exceeded_max_bytes</strong>: number of times the maximum queued byte limit was reached (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.exceeded_max_segs</strong>: number of times the maximum queued segment limit was reached (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.fins</strong>: number of fin packets (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.gaps</strong>: missing data between PDUs (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.held_packet_limit_exceeded</strong>: number of times limit of max held packets exceeded (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.held_packet_rexmits</strong>: number of retransmits of held packets (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.held_packets_dropped</strong>: number of held packets dropped (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.held_packets_passed</strong>: number of held packets passed (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.ignored</strong>: tcp packets ignored (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.initializing</strong>: number of sessions currently initializing (now)
</p>
</li>
<li>
<p>
<strong>stream_tcp.instantiated</strong>: new sessions instantiated (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.internal_events</strong>: 135:X events generated (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.max</strong>: max tcp sessions (max)
</p>
</li>
<li>
<p>
<strong>stream_tcp.max_packets_held</strong>: maximum number of packets held simultaneously (max)
</p>
</li>
<li>
<p>
<strong>stream_tcp.memory</strong>: current memory in use (now)
</p>
</li>
<li>
<p>
<strong>stream_tcp.overlaps</strong>: overlapping segments queued (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.packets_held</strong>: number of packets held (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.partial_flush_bytes</strong>: partial flush total bytes (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.partial_flushes</strong>: number of partial flushes initiated (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.prunes</strong>: tcp session prunes (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.rebuilt_buffers</strong>: rebuilt PDU sections (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.rebuilt_bytes</strong>: total rebuilt bytes (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.rebuilt_packets</strong>: total reassembled PDUs (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.released</strong>: tcp session trackers released (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.resets</strong>: number of reset packets (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.restarts</strong>: sessions restarted (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.resyns</strong>: SYN received on established session (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.segs_queued</strong>: total segments queued (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.segs_released</strong>: total segments released (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.segs_split</strong>: tcp segments split when reassembling PDUs (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.segs_used</strong>: queued tcp segments applied to reassembled PDUs (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.server_cleanups</strong>: number of times data from client was flushed when session released (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.sessions</strong>: total tcp sessions (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.setups</strong>: session initializations (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.syn_acks</strong>: number of syn-ack packets (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.syn_ack_trackers</strong>: tcp session tracking started on syn-ack (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.syns</strong>: number of syn packets (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.syn_trackers</strong>: tcp session tracking started on syn (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.three_way_trackers</strong>: tcp session tracking started on ack (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.timeouts</strong>: tcp session timeouts (sum)
</p>
</li>
<li>
<p>
<strong>stream_tcp.untracked</strong>: tcp packets not tracked (sum)
</p>
</li>
<li>
<p>
<strong>stream.total_prunes</strong>: total sessions pruned (sum)
</p>
</li>
<li>
<p>
<strong>stream_udp.created</strong>: udp session trackers created (sum)
</p>
</li>
<li>
<p>
<strong>stream_udp.ignored</strong>: udp packets ignored (sum)
</p>
</li>
<li>
<p>
<strong>stream_udp.max</strong>: max udp sessions (max)
</p>
</li>
<li>
<p>
<strong>stream_udp.prunes</strong>: udp session prunes (sum)
</p>
</li>
<li>
<p>
<strong>stream_udp.released</strong>: udp session trackers released (sum)
</p>
</li>
<li>
<p>
<strong>stream_udp.sessions</strong>: total udp sessions (sum)
</p>
</li>
<li>
<p>
<strong>stream_udp.timeouts</strong>: udp session timeouts (sum)
</p>
</li>
<li>
<p>
<strong>stream.uni_prunes</strong>: uni sessions pruned (sum)
</p>
</li>
<li>
<p>
<strong>tcp.bad_tcp4_checksum</strong>: nonzero tcp over ip checksums (sum)
</p>
</li>
<li>
<p>
<strong>tcp.bad_tcp6_checksum</strong>: nonzero tcp over ipv6 checksums (sum)
</p>
</li>
<li>
<p>
<strong>tcp_connector.messages</strong>: total messages (sum)
</p>
</li>
<li>
<p>
<strong>telnet.concurrent_sessions</strong>: total concurrent Telnet sessions (now)
</p>
</li>
<li>
<p>
<strong>telnet.max_concurrent_sessions</strong>: maximum concurrent Telnet sessions (max)
</p>
</li>
<li>
<p>
<strong>telnet.total_packets</strong>: total packets (sum)
</p>
</li>
<li>
<p>
<strong>udp.bad_udp4_checksum</strong>: nonzero udp over ipv4 checksums (sum)
</p>
</li>
<li>
<p>
<strong>udp.bad_udp6_checksum</strong>: nonzero udp over ipv6 checksums (sum)
</p>
</li>
<li>
<p>
<strong>wizard.tcp_hits</strong>: tcp identifications (sum)
</p>
</li>
<li>
<p>
<strong>wizard.tcp_scans</strong>: tcp payload scans (sum)
</p>
</li>
<li>
<p>
<strong>wizard.udp_hits</strong>: udp identifications (sum)
</p>
</li>
<li>
<p>
<strong>wizard.udp_scans</strong>: udp payload scans (sum)
</p>
</li>
<li>
<p>
<strong>wizard.user_hits</strong>: user identifications (sum)
</p>
</li>
<li>
<p>
<strong>wizard.user_scans</strong>: user payload scans (sum)
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_generators">Generators</h3>
<div class="ulist"><ul>
<li>
<p>
<strong>105</strong>: back_orifice
</p>
</li>
<li>
<p>
<strong>106</strong>: rpc_decode
</p>
</li>
<li>
<p>
<strong>112</strong>: arp_spoof
</p>
</li>
<li>
<p>
<strong>116</strong>: arp
</p>
</li>
<li>
<p>
<strong>116</strong>: auth
</p>
</li>
<li>
<p>
<strong>116</strong>: ciscometadata
</p>
</li>
<li>
<p>
<strong>116</strong>: decode
</p>
</li>
<li>
<p>
<strong>116</strong>: eapol
</p>
</li>
<li>
<p>
<strong>116</strong>: erspan2
</p>
</li>
<li>
<p>
<strong>116</strong>: erspan3
</p>
</li>
<li>
<p>
<strong>116</strong>: esp
</p>
</li>
<li>
<p>
<strong>116</strong>: eth
</p>
</li>
<li>
<p>
<strong>116</strong>: fabricpath
</p>
</li>
<li>
<p>
<strong>116</strong>: gre
</p>
</li>
<li>
<p>
<strong>116</strong>: gtp
</p>
</li>
<li>
<p>
<strong>116</strong>: icmp4
</p>
</li>
<li>
<p>
<strong>116</strong>: icmp6
</p>
</li>
<li>
<p>
<strong>116</strong>: igmp
</p>
</li>
<li>
<p>
<strong>116</strong>: ipv4
</p>
</li>
<li>
<p>
<strong>116</strong>: ipv6
</p>
</li>
<li>
<p>
<strong>116</strong>: llc
</p>
</li>
<li>
<p>
<strong>116</strong>: mpls
</p>
</li>
<li>
<p>
<strong>116</strong>: pbb
</p>
</li>
<li>
<p>
<strong>116</strong>: pgm
</p>
</li>
<li>
<p>
<strong>116</strong>: pppoe
</p>
</li>
<li>
<p>
<strong>116</strong>: tcp
</p>
</li>
<li>
<p>
<strong>116</strong>: token_ring
</p>
</li>
<li>
<p>
<strong>116</strong>: udp
</p>
</li>
<li>
<p>
<strong>116</strong>: vlan
</p>
</li>
<li>
<p>
<strong>116</strong>: wlan
</p>
</li>
<li>
<p>
<strong>119</strong>: http_inspect
</p>
</li>
<li>
<p>
<strong>121</strong>: http2_inspect
</p>
</li>
<li>
<p>
<strong>122</strong>: port_scan
</p>
</li>
<li>
<p>
<strong>123</strong>: stream_ip
</p>
</li>
<li>
<p>
<strong>124</strong>: smtp
</p>
</li>
<li>
<p>
<strong>125</strong>: ftp_server
</p>
</li>
<li>
<p>
<strong>126</strong>: telnet
</p>
</li>
<li>
<p>
<strong>128</strong>: ssh
</p>
</li>
<li>
<p>
<strong>129</strong>: stream_tcp
</p>
</li>
<li>
<p>
<strong>131</strong>: dns
</p>
</li>
<li>
<p>
<strong>133</strong>: dce_http_proxy
</p>
</li>
<li>
<p>
<strong>133</strong>: dce_http_server
</p>
</li>
<li>
<p>
<strong>133</strong>: dce_smb
</p>
</li>
<li>
<p>
<strong>133</strong>: dce_tcp
</p>
</li>
<li>
<p>
<strong>133</strong>: dce_udp
</p>
</li>
<li>
<p>
<strong>134</strong>: latency
</p>
</li>
<li>
<p>
<strong>135</strong>: stream
</p>
</li>
<li>
<p>
<strong>136</strong>: reputation
</p>
</li>
<li>
<p>
<strong>137</strong>: ssl
</p>
</li>
<li>
<p>
<strong>140</strong>: sip
</p>
</li>
<li>
<p>
<strong>141</strong>: imap
</p>
</li>
<li>
<p>
<strong>142</strong>: pop
</p>
</li>
<li>
<p>
<strong>143</strong>: gtp_inspect
</p>
</li>
<li>
<p>
<strong>144</strong>: modbus
</p>
</li>
<li>
<p>
<strong>145</strong>: dnp3
</p>
</li>
<li>
<p>
<strong>146</strong>: file_id
</p>
</li>
<li>
<p>
<strong>175</strong>: domain_filter
</p>
</li>
<li>
<p>
<strong>256</strong>: dpx
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_builtin_rules">Builtin Rules</h3>
<div class="ulist"><ul>
<li>
<p>
<strong>105:1</strong> (back_orifice) BO traffic detected
</p>
</li>
<li>
<p>
<strong>105:2</strong> (back_orifice) BO client traffic detected
</p>
</li>
<li>
<p>
<strong>105:3</strong> (back_orifice) BO server traffic detected
</p>
</li>
<li>
<p>
<strong>105:4</strong> (back_orifice) BO Snort buffer attack
</p>
</li>
<li>
<p>
<strong>106:1</strong> (rpc_decode) fragmented RPC records
</p>
</li>
<li>
<p>
<strong>106:2</strong> (rpc_decode) multiple RPC records
</p>
</li>
<li>
<p>
<strong>106:3</strong> (rpc_decode) large RPC record fragment
</p>
</li>
<li>
<p>
<strong>106:4</strong> (rpc_decode) incomplete RPC segment
</p>
</li>
<li>
<p>
<strong>106:5</strong> (rpc_decode) zero-length RPC fragment
</p>
</li>
<li>
<p>
<strong>112:1</strong> (arp_spoof) unicast ARP request
</p>
</li>
<li>
<p>
<strong>112:2</strong> (arp_spoof) ethernet/ARP mismatch request for source
</p>
</li>
<li>
<p>
<strong>112:3</strong> (arp_spoof) ethernet/ARP mismatch request for destination
</p>
</li>
<li>
<p>
<strong>112:4</strong> (arp_spoof) attempted ARP cache overwrite attack
</p>
</li>
<li>
<p>
<strong>116:1</strong> (ipv4) not IPv4 datagram
</p>
</li>
<li>
<p>
<strong>116:2</strong> (ipv4) IPv4 header length &lt; minimum
</p>
</li>
<li>
<p>
<strong>116:3</strong> (ipv4) IPv4 datagram length &lt; header field
</p>
</li>
<li>
<p>
<strong>116:4</strong> (ipv4) IPv4 options found with bad lengths
</p>
</li>
<li>
<p>
<strong>116:5</strong> (ipv4) truncated IPv4 options
</p>
</li>
<li>
<p>
<strong>116:6</strong> (ipv4) IPv4 datagram length &gt; captured length
</p>
</li>
<li>
<p>
<strong>116:45</strong> (tcp) TCP packet length is smaller than 20 bytes
</p>
</li>
<li>
<p>
<strong>116:46</strong> (tcp) TCP data offset is less than 5
</p>
</li>
<li>
<p>
<strong>116:47</strong> (tcp) TCP header length exceeds packet length
</p>
</li>
<li>
<p>
<strong>116:54</strong> (tcp) TCP options found with bad lengths
</p>
</li>
<li>
<p>
<strong>116:55</strong> (tcp) truncated TCP options
</p>
</li>
<li>
<p>
<strong>116:56</strong> (tcp) T/TCP detected
</p>
</li>
<li>
<p>
<strong>116:57</strong> (tcp) obsolete TCP options found
</p>
</li>
<li>
<p>
<strong>116:58</strong> (tcp) experimental TCP options found
</p>
</li>
<li>
<p>
<strong>116:59</strong> (tcp) TCP window scale option found with length &gt; 14
</p>
</li>
<li>
<p>
<strong>116:95</strong> (udp) truncated UDP header
</p>
</li>
<li>
<p>
<strong>116:96</strong> (udp) invalid UDP header, length field &lt; 8
</p>
</li>
<li>
<p>
<strong>116:97</strong> (udp) short UDP packet, length field &gt; payload length
</p>
</li>
<li>
<p>
<strong>116:98</strong> (udp) long UDP packet, length field &lt; payload length
</p>
</li>
<li>
<p>
<strong>116:105</strong> (icmp4) ICMP header truncated
</p>
</li>
<li>
<p>
<strong>116:106</strong> (icmp4) ICMP timestamp header truncated
</p>
</li>
<li>
<p>
<strong>116:107</strong> (icmp4) ICMP address header truncated
</p>
</li>
<li>
<p>
<strong>116:109</strong> (arp) truncated ARP
</p>
</li>
<li>
<p>
<strong>116:110</strong> (eapol) truncated EAP header
</p>
</li>
<li>
<p>
<strong>116:111</strong> (eapol) EAP key truncated
</p>
</li>
<li>
<p>
<strong>116:112</strong> (eapol) EAP header truncated
</p>
</li>
<li>
<p>
<strong>116:120</strong> (pppoe) bad PPPOE frame detected
</p>
</li>
<li>
<p>
<strong>116:130</strong> (vlan) bad VLAN frame
</p>
</li>
<li>
<p>
<strong>116:131</strong> (llc) bad LLC header
</p>
</li>
<li>
<p>
<strong>116:132</strong> (llc) bad extra LLC info
</p>
</li>
<li>
<p>
<strong>116:133</strong> (wlan) bad 802.11 LLC header
</p>
</li>
<li>
<p>
<strong>116:134</strong> (wlan) bad 802.11 extra LLC info
</p>
</li>
<li>
<p>
<strong>116:140</strong> (token_ring) bad Token Ring header
</p>
</li>
<li>
<p>
<strong>116:141</strong> (token_ring) bad Token Ring ETHLLC header
</p>
</li>
<li>
<p>
<strong>116:142</strong> (token_ring) bad Token Ring MRLEN header
</p>
</li>
<li>
<p>
<strong>116:143</strong> (token_ring) bad Token Ring MR header
</p>
</li>
<li>
<p>
<strong>116:150</strong> (decode) loopback IP
</p>
</li>
<li>
<p>
<strong>116:151</strong> (decode) same src/dst IP
</p>
</li>
<li>
<p>
<strong>116:160</strong> (gre) GRE header length &gt; payload length
</p>
</li>
<li>
<p>
<strong>116:161</strong> (gre) multiple encapsulations in packet
</p>
</li>
<li>
<p>
<strong>116:162</strong> (gre) invalid GRE version
</p>
</li>
<li>
<p>
<strong>116:163</strong> (gre) invalid GRE header
</p>
</li>
<li>
<p>
<strong>116:164</strong> (gre) invalid GRE v.1 PPTP header
</p>
</li>
<li>
<p>
<strong>116:165</strong> (gre) GRE trans header length &gt; payload length
</p>
</li>
<li>
<p>
<strong>116:170</strong> (mpls) bad MPLS frame
</p>
</li>
<li>
<p>
<strong>116:171</strong> (mpls) MPLS label 0 appears in non-bottom header
</p>
</li>
<li>
<p>
<strong>116:172</strong> (mpls) MPLS label 1 appears in bottom header
</p>
</li>
<li>
<p>
<strong>116:173</strong> (mpls) MPLS label 2 appears in non-bottom header
</p>
</li>
<li>
<p>
<strong>116:174</strong> (mpls) MPLS label 3 appears in header
</p>
</li>
<li>
<p>
<strong>116:175</strong> (mpls) MPLS label 4, 5,.. or 15 appears in header
</p>
</li>
<li>
<p>
<strong>116:176</strong> (mpls) too many MPLS headers
</p>
</li>
<li>
<p>
<strong>116:250</strong> (icmp4) ICMP original IP header truncated
</p>
</li>
<li>
<p>
<strong>116:251</strong> (icmp4) ICMP version and original IP header versions differ
</p>
</li>
<li>
<p>
<strong>116:252</strong> (icmp4) ICMP original datagram length &lt; original IP header length
</p>
</li>
<li>
<p>
<strong>116:253</strong> (icmp4) ICMP original IP payload &lt; 64 bits
</p>
</li>
<li>
<p>
<strong>116:254</strong> (icmp4) ICMP original IP payload &gt; 576 bytes
</p>
</li>
<li>
<p>
<strong>116:255</strong> (icmp4) ICMP original IP fragmented and offset not 0
</p>
</li>
<li>
<p>
<strong>116:270</strong> (ipv6) IPv6 packet below TTL limit
</p>
</li>
<li>
<p>
<strong>116:271</strong> (ipv6) IPv6 header claims to not be IPv6
</p>
</li>
<li>
<p>
<strong>116:272</strong> (ipv6) IPv6 truncated extension header
</p>
</li>
<li>
<p>
<strong>116:273</strong> (ipv6) IPv6 truncated header
</p>
</li>
<li>
<p>
<strong>116:274</strong> (ipv6) IPv6 datagram length &lt; header field
</p>
</li>
<li>
<p>
<strong>116:275</strong> (ipv6) IPv6 datagram length &gt; captured length
</p>
</li>
<li>
<p>
<strong>116:276</strong> (ipv6) IPv6 packet with destination address ::0
</p>
</li>
<li>
<p>
<strong>116:277</strong> (ipv6) IPv6 packet with multicast source address
</p>
</li>
<li>
<p>
<strong>116:278</strong> (ipv6) IPv6 packet with reserved multicast destination address
</p>
</li>
<li>
<p>
<strong>116:279</strong> (ipv6) IPv6 header includes an undefined option type
</p>
</li>
<li>
<p>
<strong>116:280</strong> (ipv6) IPv6 address includes an unassigned multicast scope value
</p>
</li>
<li>
<p>
<strong>116:281</strong> (ipv6) IPv6 header includes an invalid value for the <em>next header</em> field
</p>
</li>
<li>
<p>
<strong>116:282</strong> (ipv6) IPv6 header includes a routing extension header followed by a hop-by-hop header
</p>
</li>
<li>
<p>
<strong>116:283</strong> (ipv6) IPv6 header includes two routing extension headers
</p>
</li>
<li>
<p>
<strong>116:285</strong> (icmp6) ICMPv6 packet of type 2 (message too big) with MTU field &lt; 1280
</p>
</li>
<li>
<p>
<strong>116:286</strong> (icmp6) ICMPv6 packet of type 1 (destination unreachable) with non-RFC 2463 code
</p>
</li>
<li>
<p>
<strong>116:287</strong> (icmp6) ICMPv6 router solicitation packet with a code not equal to 0
</p>
</li>
<li>
<p>
<strong>116:288</strong> (icmp6) ICMPv6 router advertisement packet with a code not equal to 0
</p>
</li>
<li>
<p>
<strong>116:289</strong> (icmp6) ICMPv6 router solicitation packet with the reserved field not equal to 0
</p>
</li>
<li>
<p>
<strong>116:290</strong> (icmp6) ICMPv6 router advertisement packet with the reachable time field set &gt; 1 hour
</p>
</li>
<li>
<p>
<strong>116:291</strong> (ipv6) IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux kernel attack
</p>
</li>
<li>
<p>
<strong>116:292</strong> (ipv6) IPv6 header has destination options followed by a routing header
</p>
</li>
<li>
<p>
<strong>116:293</strong> (decode) two or more IP (v4 and/or v6) encapsulation layers present
</p>
</li>
<li>
<p>
<strong>116:294</strong> (esp) truncated encapsulated security payload header
</p>
</li>
<li>
<p>
<strong>116:295</strong> (ipv6) IPv6 header includes an option which is too big for the containing header
</p>
</li>
<li>
<p>
<strong>116:296</strong> (ipv6) IPv6 packet includes out-of-order extension headers
</p>
</li>
<li>
<p>
<strong>116:297</strong> (gtp) two or more GTP encapsulation layers present
</p>
</li>
<li>
<p>
<strong>116:298</strong> (gtp) GTP header length is invalid
</p>
</li>
<li>
<p>
<strong>116:400</strong> (tcp) XMAS attack detected
</p>
</li>
<li>
<p>
<strong>116:401</strong> (tcp) Nmap XMAS attack detected
</p>
</li>
<li>
<p>
<strong>116:402</strong> (tcp) DOS NAPTHA vulnerability detected
</p>
</li>
<li>
<p>
<strong>116:403</strong> (tcp) SYN to multicast address
</p>
</li>
<li>
<p>
<strong>116:404</strong> (ipv4) IPv4 packet with zero TTL
</p>
</li>
<li>
<p>
<strong>116:405</strong> (ipv4) IPv4 packet with bad frag bits (both MF and DF set)
</p>
</li>
<li>
<p>
<strong>116:406</strong> (udp) invalid IPv6 UDP packet, checksum zero
</p>
</li>
<li>
<p>
<strong>116:407</strong> (ipv4) IPv4 packet frag offset + length exceed maximum
</p>
</li>
<li>
<p>
<strong>116:408</strong> (ipv4) IPv4 packet from <em>current net</em> source address
</p>
</li>
<li>
<p>
<strong>116:409</strong> (ipv4) IPv4 packet to <em>current net</em> dest address
</p>
</li>
<li>
<p>
<strong>116:410</strong> (ipv4) IPv4 packet from multicast source address
</p>
</li>
<li>
<p>
<strong>116:411</strong> (ipv4) IPv4 packet from reserved source address
</p>
</li>
<li>
<p>
<strong>116:412</strong> (ipv4) IPv4 packet to reserved dest address
</p>
</li>
<li>
<p>
<strong>116:413</strong> (ipv4) IPv4 packet from broadcast source address
</p>
</li>
<li>
<p>
<strong>116:414</strong> (ipv4) IPv4 packet to broadcast dest address
</p>
</li>
<li>
<p>
<strong>116:415</strong> (icmp4) ICMP4 packet to multicast dest address
</p>
</li>
<li>
<p>
<strong>116:416</strong> (icmp4) ICMP4 packet to broadcast dest address
</p>
</li>
<li>
<p>
<strong>116:418</strong> (icmp4) ICMP4 type other
</p>
</li>
<li>
<p>
<strong>116:419</strong> (tcp) TCP urgent pointer exceeds payload length or no payload
</p>
</li>
<li>
<p>
<strong>116:420</strong> (tcp) TCP SYN with FIN
</p>
</li>
<li>
<p>
<strong>116:421</strong> (tcp) TCP SYN with RST
</p>
</li>
<li>
<p>
<strong>116:422</strong> (tcp) TCP PDU missing ack for established session
</p>
</li>
<li>
<p>
<strong>116:423</strong> (tcp) TCP has no SYN, ACK, or RST
</p>
</li>
<li>
<p>
<strong>116:424</strong> (eth) truncated ethernet header
</p>
</li>
<li>
<p>
<strong>116:424</strong> (pbb) truncated ethernet header
</p>
</li>
<li>
<p>
<strong>116:425</strong> (ipv4) truncated IPv4 header
</p>
</li>
<li>
<p>
<strong>116:426</strong> (icmp4) truncated ICMP4 header
</p>
</li>
<li>
<p>
<strong>116:427</strong> (icmp6) truncated ICMPv6 header
</p>
</li>
<li>
<p>
<strong>116:428</strong> (ipv4) IPv4 packet below TTL limit
</p>
</li>
<li>
<p>
<strong>116:429</strong> (ipv6) IPv6 packet has zero hop limit
</p>
</li>
<li>
<p>
<strong>116:430</strong> (ipv4) IPv4 packet both DF and offset set
</p>
</li>
<li>
<p>
<strong>116:431</strong> (icmp6) ICMPv6 type not decoded
</p>
</li>
<li>
<p>
<strong>116:432</strong> (icmp6) ICMPv6 packet to multicast address
</p>
</li>
<li>
<p>
<strong>116:433</strong> (tcp) DDOS shaft SYN flood
</p>
</li>
<li>
<p>
<strong>116:434</strong> (icmp4) ICMP ping Nmap
</p>
</li>
<li>
<p>
<strong>116:435</strong> (icmp4) ICMP icmpenum v1.1.1
</p>
</li>
<li>
<p>
<strong>116:436</strong> (icmp4) ICMP redirect host
</p>
</li>
<li>
<p>
<strong>116:437</strong> (icmp4) ICMP redirect net
</p>
</li>
<li>
<p>
<strong>116:438</strong> (icmp4) ICMP traceroute ipopts
</p>
</li>
<li>
<p>
<strong>116:439</strong> (icmp4) ICMP source quench
</p>
</li>
<li>
<p>
<strong>116:440</strong> (icmp4) broadscan smurf scanner
</p>
</li>
<li>
<p>
<strong>116:441</strong> (icmp4) ICMP destination unreachable communication administratively prohibited
</p>
</li>
<li>
<p>
<strong>116:442</strong> (icmp4) ICMP destination unreachable communication with destination host is administratively prohibited
</p>
</li>
<li>
<p>
<strong>116:443</strong> (icmp4) ICMP destination unreachable communication with destination network is administratively prohibited
</p>
</li>
<li>
<p>
<strong>116:444</strong> (ipv4) IPv4 option set
</p>
</li>
<li>
<p>
<strong>116:445</strong> (udp) large UDP packet (&gt; 4000 bytes)
</p>
</li>
<li>
<p>
<strong>116:446</strong> (tcp) TCP port 0 traffic
</p>
</li>
<li>
<p>
<strong>116:447</strong> (udp) UDP port 0 traffic
</p>
</li>
<li>
<p>
<strong>116:448</strong> (ipv4) IPv4 reserved bit set
</p>
</li>
<li>
<p>
<strong>116:449</strong> (decode) unassigned/reserved IP protocol
</p>
</li>
<li>
<p>
<strong>116:450</strong> (decode) bad IP protocol
</p>
</li>
<li>
<p>
<strong>116:451</strong> (icmp4) ICMP path MTU denial of service attempt
</p>
</li>
<li>
<p>
<strong>116:452</strong> (icmp4) Linux ICMP header DOS attempt
</p>
</li>
<li>
<p>
<strong>116:453</strong> (ipv6) ISATAP-addressed IPv6 traffic spoofing attempt
</p>
</li>
<li>
<p>
<strong>116:454</strong> (pgm) PGM nak list overflow attempt
</p>
</li>
<li>
<p>
<strong>116:455</strong> (igmp) DOS IGMP IP options validation attempt
</p>
</li>
<li>
<p>
<strong>116:456</strong> (ipv6) too many IPv6 extension headers
</p>
</li>
<li>
<p>
<strong>116:457</strong> (icmp6) ICMPv6 packet of type 1 (destination unreachable) with non-RFC 4443 code
</p>
</li>
<li>
<p>
<strong>116:458</strong> (ipv6) bogus fragmentation packet, possible BSD attack
</p>
</li>
<li>
<p>
<strong>116:459</strong> (decode) fragment with zero length
</p>
</li>
<li>
<p>
<strong>116:460</strong> (icmp6) ICMPv6 node info query/response packet with a code greater than 2
</p>
</li>
<li>
<p>
<strong>116:461</strong> (ipv6) IPv6 routing type 0 extension header
</p>
</li>
<li>
<p>
<strong>116:462</strong> (erspan2) ERSpan header version mismatch
</p>
</li>
<li>
<p>
<strong>116:463</strong> (erspan2) captured length &lt; ERSpan type2 header length
</p>
</li>
<li>
<p>
<strong>116:464</strong> (erspan3) captured &lt; ERSpan type3 header length
</p>
</li>
<li>
<p>
<strong>116:465</strong> (auth) truncated authentication header
</p>
</li>
<li>
<p>
<strong>116:466</strong> (auth) bad authentication header length
</p>
</li>
<li>
<p>
<strong>116:467</strong> (fabricpath) truncated FabricPath header
</p>
</li>
<li>
<p>
<strong>116:468</strong> (ciscometadata) truncated Cisco Metadata header
</p>
</li>
<li>
<p>
<strong>116:469</strong> (ciscometadata) invalid Cisco Metadata option length
</p>
</li>
<li>
<p>
<strong>116:470</strong> (ciscometadata) invalid Cisco Metadata option type
</p>
</li>
<li>
<p>
<strong>116:471</strong> (ciscometadata) invalid Cisco Metadata SGT
</p>
</li>
<li>
<p>
<strong>116:472</strong> (decode) too many protocols present
</p>
</li>
<li>
<p>
<strong>116:473</strong> (decode) ether type out of range
</p>
</li>
<li>
<p>
<strong>116:474</strong> (icmp6) ICMPv6 not encapsulated in IPv6
</p>
</li>
<li>
<p>
<strong>116:475</strong> (ipv6) IPv6 mobility header includes an invalid value for the <em>payload protocol</em> field
</p>
</li>
<li>
<p>
<strong>119:1</strong> (http_inspect) ascii encoding
</p>
</li>
<li>
<p>
<strong>119:2</strong> (http_inspect) double decoding attack
</p>
</li>
<li>
<p>
<strong>119:3</strong> (http_inspect) u encoding
</p>
</li>
<li>
<p>
<strong>119:4</strong> (http_inspect) bare byte unicode encoding
</p>
</li>
<li>
<p>
<strong>119:5</strong> (http_inspect) obsolete event&#8212;deleted
</p>
</li>
<li>
<p>
<strong>119:6</strong> (http_inspect) UTF-8 encoding
</p>
</li>
<li>
<p>
<strong>119:7</strong> (http_inspect) unicode map code point encoding in URI
</p>
</li>
<li>
<p>
<strong>119:8</strong> (http_inspect) multi_slash encoding
</p>
</li>
<li>
<p>
<strong>119:9</strong> (http_inspect) backslash used in URI path
</p>
</li>
<li>
<p>
<strong>119:10</strong> (http_inspect) self directory traversal
</p>
</li>
<li>
<p>
<strong>119:11</strong> (http_inspect) directory traversal
</p>
</li>
<li>
<p>
<strong>119:12</strong> (http_inspect) apache whitespace (tab)
</p>
</li>
<li>
<p>
<strong>119:13</strong> (http_inspect) HTTP header line terminated by LF without a CR
</p>
</li>
<li>
<p>
<strong>119:14</strong> (http_inspect) non-RFC defined char
</p>
</li>
<li>
<p>
<strong>119:15</strong> (http_inspect) oversize request-uri directory
</p>
</li>
<li>
<p>
<strong>119:16</strong> (http_inspect) oversize chunk encoding
</p>
</li>
<li>
<p>
<strong>119:17</strong> (http_inspect) unauthorized proxy use detected
</p>
</li>
<li>
<p>
<strong>119:18</strong> (http_inspect) webroot directory traversal
</p>
</li>
<li>
<p>
<strong>119:19</strong> (http_inspect) long header
</p>
</li>
<li>
<p>
<strong>119:20</strong> (http_inspect) max header fields
</p>
</li>
<li>
<p>
<strong>119:21</strong> (http_inspect) multiple content length
</p>
</li>
<li>
<p>
<strong>119:22</strong> (http_inspect) obsolete event&#8212;deleted
</p>
</li>
<li>
<p>
<strong>119:23</strong> (http_inspect) invalid IP in true-client-IP/XFF header
</p>
</li>
<li>
<p>
<strong>119:24</strong> (http_inspect) multiple host hdrs detected
</p>
</li>
<li>
<p>
<strong>119:25</strong> (http_inspect) hostname exceeds 255 characters
</p>
</li>
<li>
<p>
<strong>119:26</strong> (http_inspect) too much whitespace in header (not implemented yet)
</p>
</li>
<li>
<p>
<strong>119:27</strong> (http_inspect) client consecutive small chunk sizes
</p>
</li>
<li>
<p>
<strong>119:28</strong> (http_inspect) POST or PUT w/o content-length or chunks
</p>
</li>
<li>
<p>
<strong>119:29</strong> (http_inspect) multiple true ips in a session
</p>
</li>
<li>
<p>
<strong>119:30</strong> (http_inspect) both true-client-IP and XFF hdrs present
</p>
</li>
<li>
<p>
<strong>119:31</strong> (http_inspect) unknown method
</p>
</li>
<li>
<p>
<strong>119:32</strong> (http_inspect) simple request
</p>
</li>
<li>
<p>
<strong>119:33</strong> (http_inspect) unescaped space in HTTP URI
</p>
</li>
<li>
<p>
<strong>119:34</strong> (http_inspect) too many pipelined requests
</p>
</li>
<li>
<p>
<strong>119:101</strong> (http_inspect) obsolete event&#8212;deleted
</p>
</li>
<li>
<p>
<strong>119:102</strong> (http_inspect) invalid status code in HTTP response
</p>
</li>
<li>
<p>
<strong>119:103</strong> (http_inspect) unused event number&#8212;should not appear
</p>
</li>
<li>
<p>
<strong>119:104</strong> (http_inspect) HTTP response has UTF charset that failed to normalize
</p>
</li>
<li>
<p>
<strong>119:105</strong> (http_inspect) HTTP response has UTF-7 charset
</p>
</li>
<li>
<p>
<strong>119:106</strong> (http_inspect) HTTP response gzip decompression failed
</p>
</li>
<li>
<p>
<strong>119:107</strong> (http_inspect) server consecutive small chunk sizes
</p>
</li>
<li>
<p>
<strong>119:108</strong> (http_inspect) unused event number&#8212;should not appear
</p>
</li>
<li>
<p>
<strong>119:109</strong> (http_inspect) javascript obfuscation levels exceeds 1
</p>
</li>
<li>
<p>
<strong>119:110</strong> (http_inspect) javascript whitespaces exceeds max allowed
</p>
</li>
<li>
<p>
<strong>119:111</strong> (http_inspect) multiple encodings within javascript obfuscated data
</p>
</li>
<li>
<p>
<strong>119:112</strong> (http_inspect) SWF file zlib decompression failure
</p>
</li>
<li>
<p>
<strong>119:113</strong> (http_inspect) SWF file LZMA decompression failure
</p>
</li>
<li>
<p>
<strong>119:114</strong> (http_inspect) PDF file deflate decompression failure
</p>
</li>
<li>
<p>
<strong>119:115</strong> (http_inspect) PDF file unsupported compression type
</p>
</li>
<li>
<p>
<strong>119:116</strong> (http_inspect) PDF file cascaded compression
</p>
</li>
<li>
<p>
<strong>119:117</strong> (http_inspect) PDF file parse failure
</p>
</li>
<li>
<p>
<strong>119:201</strong> (http_inspect) not HTTP traffic
</p>
</li>
<li>
<p>
<strong>119:202</strong> (http_inspect) chunk length has excessive leading zeros
</p>
</li>
<li>
<p>
<strong>119:203</strong> (http_inspect) white space before or between messages
</p>
</li>
<li>
<p>
<strong>119:204</strong> (http_inspect) request message without URI
</p>
</li>
<li>
<p>
<strong>119:205</strong> (http_inspect) control character in reason phrase
</p>
</li>
<li>
<p>
<strong>119:206</strong> (http_inspect) illegal extra whitespace in start line
</p>
</li>
<li>
<p>
<strong>119:207</strong> (http_inspect) corrupted HTTP version
</p>
</li>
<li>
<p>
<strong>119:208</strong> (http_inspect) unknown HTTP version
</p>
</li>
<li>
<p>
<strong>119:209</strong> (http_inspect) format error in HTTP header
</p>
</li>
<li>
<p>
<strong>119:210</strong> (http_inspect) chunk header options present
</p>
</li>
<li>
<p>
<strong>119:211</strong> (http_inspect) URI badly formatted
</p>
</li>
<li>
<p>
<strong>119:212</strong> (http_inspect) unrecognized type of percent encoding in URI
</p>
</li>
<li>
<p>
<strong>119:213</strong> (http_inspect) HTTP chunk misformatted
</p>
</li>
<li>
<p>
<strong>119:214</strong> (http_inspect) white space adjacent to chunk length
</p>
</li>
<li>
<p>
<strong>119:215</strong> (http_inspect) white space within header name
</p>
</li>
<li>
<p>
<strong>119:216</strong> (http_inspect) excessive gzip compression
</p>
</li>
<li>
<p>
<strong>119:217</strong> (http_inspect) gzip decompression failed
</p>
</li>
<li>
<p>
<strong>119:218</strong> (http_inspect) HTTP 0.9 requested followed by another request
</p>
</li>
<li>
<p>
<strong>119:219</strong> (http_inspect) HTTP 0.9 request following a normal request
</p>
</li>
<li>
<p>
<strong>119:220</strong> (http_inspect) message has both Content-Length and Transfer-Encoding
</p>
</li>
<li>
<p>
<strong>119:221</strong> (http_inspect) status code implying no body combined with Transfer-Encoding or nonzero Content-Length
</p>
</li>
<li>
<p>
<strong>119:222</strong> (http_inspect) Transfer-Encoding not ending with chunked
</p>
</li>
<li>
<p>
<strong>119:223</strong> (http_inspect) Transfer-Encoding with encodings before chunked
</p>
</li>
<li>
<p>
<strong>119:224</strong> (http_inspect) misformatted HTTP traffic
</p>
</li>
<li>
<p>
<strong>119:225</strong> (http_inspect) unsupported Content-Encoding used
</p>
</li>
<li>
<p>
<strong>119:226</strong> (http_inspect) unknown Content-Encoding used
</p>
</li>
<li>
<p>
<strong>119:227</strong> (http_inspect) multiple Content-Encodings applied
</p>
</li>
<li>
<p>
<strong>119:228</strong> (http_inspect) server response before client request
</p>
</li>
<li>
<p>
<strong>119:229</strong> (http_inspect) PDF/SWF/ZIP decompression of server response too big
</p>
</li>
<li>
<p>
<strong>119:230</strong> (http_inspect) nonprinting character in HTTP message header name
</p>
</li>
<li>
<p>
<strong>119:231</strong> (http_inspect) bad Content-Length value in HTTP header
</p>
</li>
<li>
<p>
<strong>119:232</strong> (http_inspect) HTTP header line wrapped
</p>
</li>
<li>
<p>
<strong>119:233</strong> (http_inspect) HTTP header line terminated by CR without a LF
</p>
</li>
<li>
<p>
<strong>119:234</strong> (http_inspect) chunk terminated by nonstandard separator
</p>
</li>
<li>
<p>
<strong>119:235</strong> (http_inspect) chunk length terminated by LF without CR
</p>
</li>
<li>
<p>
<strong>119:236</strong> (http_inspect) more than one response with 100 status code
</p>
</li>
<li>
<p>
<strong>119:237</strong> (http_inspect) 100 status code not in response to Expect header
</p>
</li>
<li>
<p>
<strong>119:238</strong> (http_inspect) 1XX status code other than 100 or 101
</p>
</li>
<li>
<p>
<strong>119:239</strong> (http_inspect) Expect header sent without a message body
</p>
</li>
<li>
<p>
<strong>119:240</strong> (http_inspect) HTTP 1.0 message with Transfer-Encoding header
</p>
</li>
<li>
<p>
<strong>119:241</strong> (http_inspect) Content-Transfer-Encoding used as HTTP header
</p>
</li>
<li>
<p>
<strong>119:242</strong> (http_inspect) illegal field in chunked message trailers
</p>
</li>
<li>
<p>
<strong>119:243</strong> (http_inspect) header field inappropriately appears twice or has two values
</p>
</li>
<li>
<p>
<strong>119:244</strong> (http_inspect) invalid value chunked in Content-Encoding header
</p>
</li>
<li>
<p>
<strong>119:245</strong> (http_inspect) 206 response sent to a request without a Range header
</p>
</li>
<li>
<p>
<strong>119:246</strong> (http_inspect) <em>HTTP</em> in version field not all upper case
</p>
</li>
<li>
<p>
<strong>119:247</strong> (http_inspect) white space embedded in critical header value
</p>
</li>
<li>
<p>
<strong>119:248</strong> (http_inspect) gzip compressed data followed by unexpected non-gzip data
</p>
</li>
<li>
<p>
<strong>121:1</strong> (http2_inspect) error in HPACK integer value
</p>
</li>
<li>
<p>
<strong>121:2</strong> (http2_inspect) integer value has leading zeros
</p>
</li>
<li>
<p>
<strong>121:3</strong> (http2_inspect) error in HPACK string value
</p>
</li>
<li>
<p>
<strong>121:4</strong> (http2_inspect) missing continuation frame
</p>
</li>
<li>
<p>
<strong>121:5</strong> (http2_inspect) unexpected continuation frame
</p>
</li>
<li>
<p>
<strong>122:1</strong> (port_scan) TCP portscan
</p>
</li>
<li>
<p>
<strong>122:2</strong> (port_scan) TCP decoy portscan
</p>
</li>
<li>
<p>
<strong>122:3</strong> (port_scan) TCP portsweep
</p>
</li>
<li>
<p>
<strong>122:4</strong> (port_scan) TCP distributed portscan
</p>
</li>
<li>
<p>
<strong>122:5</strong> (port_scan) TCP filtered portscan
</p>
</li>
<li>
<p>
<strong>122:6</strong> (port_scan) TCP filtered decoy portscan
</p>
</li>
<li>
<p>
<strong>122:7</strong> (port_scan) TCP filtered portsweep
</p>
</li>
<li>
<p>
<strong>122:8</strong> (port_scan) TCP filtered distributed portscan
</p>
</li>
<li>
<p>
<strong>122:9</strong> (port_scan) IP protocol scan
</p>
</li>
<li>
<p>
<strong>122:10</strong> (port_scan) IP decoy protocol scan
</p>
</li>
<li>
<p>
<strong>122:11</strong> (port_scan) IP protocol sweep
</p>
</li>
<li>
<p>
<strong>122:12</strong> (port_scan) IP distributed protocol scan
</p>
</li>
<li>
<p>
<strong>122:13</strong> (port_scan) IP filtered protocol scan
</p>
</li>
<li>
<p>
<strong>122:14</strong> (port_scan) IP filtered decoy protocol scan
</p>
</li>
<li>
<p>
<strong>122:15</strong> (port_scan) IP filtered protocol sweep
</p>
</li>
<li>
<p>
<strong>122:16</strong> (port_scan) IP filtered distributed protocol scan
</p>
</li>
<li>
<p>
<strong>122:17</strong> (port_scan) UDP portscan
</p>
</li>
<li>
<p>
<strong>122:18</strong> (port_scan) UDP decoy portscan
</p>
</li>
<li>
<p>
<strong>122:19</strong> (port_scan) UDP portsweep
</p>
</li>
<li>
<p>
<strong>122:20</strong> (port_scan) UDP distributed portscan
</p>
</li>
<li>
<p>
<strong>122:21</strong> (port_scan) UDP filtered portscan
</p>
</li>
<li>
<p>
<strong>122:22</strong> (port_scan) UDP filtered decoy portscan
</p>
</li>
<li>
<p>
<strong>122:23</strong> (port_scan) UDP filtered portsweep
</p>
</li>
<li>
<p>
<strong>122:24</strong> (port_scan) UDP filtered distributed portscan
</p>
</li>
<li>
<p>
<strong>122:25</strong> (port_scan) ICMP sweep
</p>
</li>
<li>
<p>
<strong>122:26</strong> (port_scan) ICMP filtered sweep
</p>
</li>
<li>
<p>
<strong>122:27</strong> (port_scan) open port
</p>
</li>
<li>
<p>
<strong>123:1</strong> (stream_ip) inconsistent IP options on fragmented packets
</p>
</li>
<li>
<p>
<strong>123:2</strong> (stream_ip) teardrop attack
</p>
</li>
<li>
<p>
<strong>123:3</strong> (stream_ip) short fragment, possible DOS attempt
</p>
</li>
<li>
<p>
<strong>123:4</strong> (stream_ip) fragment packet ends after defragmented packet
</p>
</li>
<li>
<p>
<strong>123:5</strong> (stream_ip) zero-byte fragment packet
</p>
</li>
<li>
<p>
<strong>123:6</strong> (stream_ip) bad fragment size, packet size is negative
</p>
</li>
<li>
<p>
<strong>123:7</strong> (stream_ip) bad fragment size, packet size is greater than 65536
</p>
</li>
<li>
<p>
<strong>123:8</strong> (stream_ip) fragmentation overlap
</p>
</li>
<li>
<p>
<strong>123:11</strong> (stream_ip) TTL value less than configured minimum, not using for reassembly
</p>
</li>
<li>
<p>
<strong>123:12</strong> (stream_ip) excessive fragment overlap
</p>
</li>
<li>
<p>
<strong>123:13</strong> (stream_ip) tiny fragment
</p>
</li>
<li>
<p>
<strong>124:1</strong> (smtp) attempted command buffer overflow
</p>
</li>
<li>
<p>
<strong>124:2</strong> (smtp) attempted data header buffer overflow
</p>
</li>
<li>
<p>
<strong>124:3</strong> (smtp) attempted response buffer overflow
</p>
</li>
<li>
<p>
<strong>124:4</strong> (smtp) attempted specific command buffer overflow
</p>
</li>
<li>
<p>
<strong>124:5</strong> (smtp) unknown command
</p>
</li>
<li>
<p>
<strong>124:6</strong> (smtp) illegal command
</p>
</li>
<li>
<p>
<strong>124:7</strong> (smtp) attempted header name buffer overflow
</p>
</li>
<li>
<p>
<strong>124:8</strong> (smtp) attempted X-Link2State command buffer overflow
</p>
</li>
<li>
<p>
<strong>124:10</strong> (smtp) base64 decoding failed
</p>
</li>
<li>
<p>
<strong>124:11</strong> (smtp) quoted-printable decoding failed
</p>
</li>
<li>
<p>
<strong>124:13</strong> (smtp) Unix-to-Unix decoding failed
</p>
</li>
<li>
<p>
<strong>124:14</strong> (smtp) Cyrus SASL authentication attack
</p>
</li>
<li>
<p>
<strong>124:15</strong> (smtp) attempted authentication command buffer overflow
</p>
</li>
<li>
<p>
<strong>124:16</strong> (smtp) file decompression failed
</p>
</li>
<li>
<p>
<strong>125:1</strong> (ftp_server) TELNET cmd on FTP command channel
</p>
</li>
<li>
<p>
<strong>125:2</strong> (ftp_server) invalid FTP command
</p>
</li>
<li>
<p>
<strong>125:3</strong> (ftp_server) FTP command parameters were too long
</p>
</li>
<li>
<p>
<strong>125:4</strong> (ftp_server) FTP command parameters were malformed
</p>
</li>
<li>
<p>
<strong>125:5</strong> (ftp_server) FTP command parameters contained potential string format
</p>
</li>
<li>
<p>
<strong>125:6</strong> (ftp_server) FTP response message was too long
</p>
</li>
<li>
<p>
<strong>125:7</strong> (ftp_server) FTP traffic encrypted
</p>
</li>
<li>
<p>
<strong>125:8</strong> (ftp_server) FTP bounce attempt
</p>
</li>
<li>
<p>
<strong>125:9</strong> (ftp_server) evasive (incomplete) TELNET cmd on FTP command channel
</p>
</li>
<li>
<p>
<strong>126:1</strong> (telnet) consecutive Telnet AYT commands beyond threshold
</p>
</li>
<li>
<p>
<strong>126:2</strong> (telnet) Telnet traffic encrypted
</p>
</li>
<li>
<p>
<strong>126:3</strong> (telnet) Telnet subnegotiation begin command without subnegotiation end
</p>
</li>
<li>
<p>
<strong>128:1</strong> (ssh) challenge-response overflow exploit
</p>
</li>
<li>
<p>
<strong>128:2</strong> (ssh) SSH1 CRC32 exploit
</p>
</li>
<li>
<p>
<strong>128:3</strong> (ssh) server version string overflow
</p>
</li>
<li>
<p>
<strong>128:5</strong> (ssh) bad message direction
</p>
</li>
<li>
<p>
<strong>128:6</strong> (ssh) payload size incorrect for the given payload
</p>
</li>
<li>
<p>
<strong>128:7</strong> (ssh) failed to detect SSH version string
</p>
</li>
<li>
<p>
<strong>129:1</strong> (stream_tcp) SYN on established session
</p>
</li>
<li>
<p>
<strong>129:2</strong> (stream_tcp) data on SYN packet
</p>
</li>
<li>
<p>
<strong>129:3</strong> (stream_tcp) data sent on stream not accepting data
</p>
</li>
<li>
<p>
<strong>129:4</strong> (stream_tcp) TCP timestamp is outside of PAWS window
</p>
</li>
<li>
<p>
<strong>129:5</strong> (stream_tcp) bad segment, adjusted size &#8656; 0 (deprecated)
</p>
</li>
<li>
<p>
<strong>129:6</strong> (stream_tcp) window size (after scaling) larger than policy allows
</p>
</li>
<li>
<p>
<strong>129:7</strong> (stream_tcp) limit on number of overlapping TCP packets reached
</p>
</li>
<li>
<p>
<strong>129:8</strong> (stream_tcp) data sent on stream after TCP reset sent
</p>
</li>
<li>
<p>
<strong>129:9</strong> (stream_tcp) TCP client possibly hijacked, different ethernet address
</p>
</li>
<li>
<p>
<strong>129:10</strong> (stream_tcp) TCP server possibly hijacked, different ethernet address
</p>
</li>
<li>
<p>
<strong>129:11</strong> (stream_tcp) TCP data with no TCP flags set
</p>
</li>
<li>
<p>
<strong>129:12</strong> (stream_tcp) consecutive TCP small segments exceeding threshold
</p>
</li>
<li>
<p>
<strong>129:13</strong> (stream_tcp) 4-way handshake detected
</p>
</li>
<li>
<p>
<strong>129:14</strong> (stream_tcp) TCP timestamp is missing
</p>
</li>
<li>
<p>
<strong>129:15</strong> (stream_tcp) reset outside window
</p>
</li>
<li>
<p>
<strong>129:16</strong> (stream_tcp) FIN number is greater than prior FIN
</p>
</li>
<li>
<p>
<strong>129:17</strong> (stream_tcp) ACK number is greater than prior FIN
</p>
</li>
<li>
<p>
<strong>129:18</strong> (stream_tcp) data sent on stream after TCP reset received
</p>
</li>
<li>
<p>
<strong>129:19</strong> (stream_tcp) TCP window closed before receiving data
</p>
</li>
<li>
<p>
<strong>129:20</strong> (stream_tcp) TCP session without 3-way handshake
</p>
</li>
<li>
<p>
<strong>131:1</strong> (dns) obsolete DNS RR types
</p>
</li>
<li>
<p>
<strong>131:2</strong> (dns) experimental DNS RR types
</p>
</li>
<li>
<p>
<strong>131:3</strong> (dns) DNS client rdata txt overflow
</p>
</li>
<li>
<p>
<strong>133:2</strong> (dce_smb) SMB - bad NetBIOS session service session type
</p>
</li>
<li>
<p>
<strong>133:3</strong> (dce_smb) SMB - bad SMB message type
</p>
</li>
<li>
<p>
<strong>133:4</strong> (dce_smb) SMB - bad SMB Id (not \xffSMB for SMB1 or not \xfeSMB for SMB2)
</p>
</li>
<li>
<p>
<strong>133:5</strong> (dce_smb) SMB - bad word count or structure size
</p>
</li>
<li>
<p>
<strong>133:6</strong> (dce_smb) SMB - bad byte count
</p>
</li>
<li>
<p>
<strong>133:7</strong> (dce_smb) SMB - bad format type
</p>
</li>
<li>
<p>
<strong>133:8</strong> (dce_smb) SMB - bad offset
</p>
</li>
<li>
<p>
<strong>133:9</strong> (dce_smb) SMB - zero total data count
</p>
</li>
<li>
<p>
<strong>133:10</strong> (dce_smb) SMB - NetBIOS data length less than SMB header length
</p>
</li>
<li>
<p>
<strong>133:11</strong> (dce_smb) SMB - remaining NetBIOS data length less than command length
</p>
</li>
<li>
<p>
<strong>133:12</strong> (dce_smb) SMB - remaining NetBIOS data length less than command byte count
</p>
</li>
<li>
<p>
<strong>133:13</strong> (dce_smb) SMB - remaining NetBIOS data length less than command data size
</p>
</li>
<li>
<p>
<strong>133:14</strong> (dce_smb) SMB - remaining total data count less than this command data size
</p>
</li>
<li>
<p>
<strong>133:15</strong> (dce_smb) SMB - total data sent (STDu64) greater than command total data expected
</p>
</li>
<li>
<p>
<strong>133:16</strong> (dce_smb) SMB - byte count less than command data size (STDu64)
</p>
</li>
<li>
<p>
<strong>133:17</strong> (dce_smb) SMB - invalid command data size for byte count
</p>
</li>
<li>
<p>
<strong>133:18</strong> (dce_smb) SMB - excessive tree connect requests with pending tree connect responses
</p>
</li>
<li>
<p>
<strong>133:19</strong> (dce_smb) SMB - excessive read requests with pending read responses
</p>
</li>
<li>
<p>
<strong>133:20</strong> (dce_smb) SMB - excessive command chaining
</p>
</li>
<li>
<p>
<strong>133:21</strong> (dce_smb) SMB - multiple chained tree connect requests
</p>
</li>
<li>
<p>
<strong>133:22</strong> (dce_smb) SMB - multiple chained tree connect requests
</p>
</li>
<li>
<p>
<strong>133:23</strong> (dce_smb) SMB - chained/compounded login followed by logoff
</p>
</li>
<li>
<p>
<strong>133:24</strong> (dce_smb) SMB - chained/compounded tree connect followed by tree disconnect
</p>
</li>
<li>
<p>
<strong>133:25</strong> (dce_smb) SMB - chained/compounded open pipe followed by close pipe
</p>
</li>
<li>
<p>
<strong>133:26</strong> (dce_smb) SMB - invalid share access
</p>
</li>
<li>
<p>
<strong>133:27</strong> (dce_tcp) connection oriented DCE/RPC - invalid major version
</p>
</li>
<li>
<p>
<strong>133:28</strong> (dce_tcp) connection oriented DCE/RPC - invalid minor version
</p>
</li>
<li>
<p>
<strong>133:29</strong> (dce_tcp) connection-oriented DCE/RPC - invalid PDU type
</p>
</li>
<li>
<p>
<strong>133:30</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length less than header size
</p>
</li>
<li>
<p>
<strong>133:31</strong> (dce_tcp) connection-oriented DCE/RPC - remaining fragment length less than size needed
</p>
</li>
<li>
<p>
<strong>133:32</strong> (dce_tcp) connection-oriented DCE/RPC - no context items specified
</p>
</li>
<li>
<p>
<strong>133:33</strong> (dce_tcp) connection-oriented DCE/RPC -no transfer syntaxes specified
</p>
</li>
<li>
<p>
<strong>133:34</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length on non-last fragment less than maximum negotiated fragment transmit size for client
</p>
</li>
<li>
<p>
<strong>133:35</strong> (dce_tcp) connection-oriented DCE/RPC - fragment length greater than maximum negotiated fragment transmit size
</p>
</li>
<li>
<p>
<strong>133:36</strong> (dce_tcp) connection-oriented DCE/RPC - alter context byte order different from bind
</p>
</li>
<li>
<p>
<strong>133:37</strong> (dce_tcp) connection-oriented DCE/RPC - call id of non first/last fragment different from call id established for fragmented request
</p>
</li>
<li>
<p>
<strong>133:38</strong> (dce_tcp) connection-oriented DCE/RPC - opnum of non first/last fragment different from opnum established for fragmented request
</p>
</li>
<li>
<p>
<strong>133:39</strong> (dce_tcp) connection-oriented DCE/RPC - context id of non first/last fragment different from context id established for fragmented request
</p>
</li>
<li>
<p>
<strong>133:40</strong> (dce_udp) connection-less DCE/RPC - invalid major version
</p>
</li>
<li>
<p>
<strong>133:41</strong> (dce_udp) connection-less DCE/RPC - invalid PDU type
</p>
</li>
<li>
<p>
<strong>133:42</strong> (dce_udp) connection-less DCE/RPC - data length less than header size
</p>
</li>
<li>
<p>
<strong>133:43</strong> (dce_udp) connection-less DCE/RPC - bad sequence number
</p>
</li>
<li>
<p>
<strong>133:44</strong> (dce_smb) SMB - invalid SMB version 1 seen
</p>
</li>
<li>
<p>
<strong>133:45</strong> (dce_smb) SMB - invalid SMB version 2 seen
</p>
</li>
<li>
<p>
<strong>133:46</strong> (dce_smb) SMB - invalid user, tree connect, file binding
</p>
</li>
<li>
<p>
<strong>133:47</strong> (dce_smb) SMB - excessive command compounding
</p>
</li>
<li>
<p>
<strong>133:48</strong> (dce_smb) SMB - zero data count
</p>
</li>
<li>
<p>
<strong>133:50</strong> (dce_smb) SMB - maximum number of outstanding requests exceeded
</p>
</li>
<li>
<p>
<strong>133:51</strong> (dce_smb) SMB - outstanding requests with same MID
</p>
</li>
<li>
<p>
<strong>133:52</strong> (dce_smb) SMB - deprecated dialect negotiated
</p>
</li>
<li>
<p>
<strong>133:53</strong> (dce_smb) SMB - deprecated command used
</p>
</li>
<li>
<p>
<strong>133:54</strong> (dce_smb) SMB - unusual command used
</p>
</li>
<li>
<p>
<strong>133:55</strong> (dce_smb) SMB - invalid setup count for command
</p>
</li>
<li>
<p>
<strong>133:56</strong> (dce_smb) SMB - client attempted multiple dialect negotiations on session
</p>
</li>
<li>
<p>
<strong>133:57</strong> (dce_smb) SMB - client attempted to create or set a file&#8217;s attributes to readonly/hidden/system
</p>
</li>
<li>
<p>
<strong>133:58</strong> (dce_smb) SMB - file offset provided is greater than file size specified
</p>
</li>
<li>
<p>
<strong>133:59</strong> (dce_smb) SMB - next command specified in SMB2 header is beyond payload boundary
</p>
</li>
<li>
<p>
<strong>134:1</strong> (latency) rule tree suspended due to latency
</p>
</li>
<li>
<p>
<strong>134:2</strong> (latency) rule tree re-enabled after suspend timeout
</p>
</li>
<li>
<p>
<strong>134:3</strong> (latency) packet fastpathed due to latency
</p>
</li>
<li>
<p>
<strong>135:1</strong> (stream) TCP SYN received
</p>
</li>
<li>
<p>
<strong>135:2</strong> (stream) TCP session established
</p>
</li>
<li>
<p>
<strong>135:3</strong> (stream) TCP session cleared
</p>
</li>
<li>
<p>
<strong>136:1</strong> (reputation) packets blacklisted
</p>
</li>
<li>
<p>
<strong>136:2</strong> (reputation) packets whitelisted
</p>
</li>
<li>
<p>
<strong>136:3</strong> (reputation) packets monitored
</p>
</li>
<li>
<p>
<strong>137:1</strong> (ssl) invalid client HELLO after server HELLO detected
</p>
</li>
<li>
<p>
<strong>137:2</strong> (ssl) invalid server HELLO without client HELLO detected
</p>
</li>
<li>
<p>
<strong>137:3</strong> (ssl) heartbeat read overrun attempt detected
</p>
</li>
<li>
<p>
<strong>137:4</strong> (ssl) large heartbeat response detected
</p>
</li>
<li>
<p>
<strong>140:2</strong> (sip) empty request URI
</p>
</li>
<li>
<p>
<strong>140:3</strong> (sip) URI is too long
</p>
</li>
<li>
<p>
<strong>140:4</strong> (sip) empty call-Id
</p>
</li>
<li>
<p>
<strong>140:5</strong> (sip) Call-Id is too long
</p>
</li>
<li>
<p>
<strong>140:6</strong> (sip) CSeq number is too large or negative
</p>
</li>
<li>
<p>
<strong>140:7</strong> (sip) request name in CSeq is too long
</p>
</li>
<li>
<p>
<strong>140:8</strong> (sip) empty From header
</p>
</li>
<li>
<p>
<strong>140:9</strong> (sip) From header is too long
</p>
</li>
<li>
<p>
<strong>140:10</strong> (sip) empty To header
</p>
</li>
<li>
<p>
<strong>140:11</strong> (sip) To header is too long
</p>
</li>
<li>
<p>
<strong>140:12</strong> (sip) empty Via header
</p>
</li>
<li>
<p>
<strong>140:13</strong> (sip) Via header is too long
</p>
</li>
<li>
<p>
<strong>140:14</strong> (sip) empty Contact
</p>
</li>
<li>
<p>
<strong>140:15</strong> (sip) contact is too long
</p>
</li>
<li>
<p>
<strong>140:16</strong> (sip) content length is too large or negative
</p>
</li>
<li>
<p>
<strong>140:17</strong> (sip) multiple SIP messages in a packet
</p>
</li>
<li>
<p>
<strong>140:18</strong> (sip) content length mismatch
</p>
</li>
<li>
<p>
<strong>140:19</strong> (sip) request name is invalid
</p>
</li>
<li>
<p>
<strong>140:20</strong> (sip) Invite replay attack
</p>
</li>
<li>
<p>
<strong>140:21</strong> (sip) illegal session information modification
</p>
</li>
<li>
<p>
<strong>140:22</strong> (sip) response status code is not a 3 digit number
</p>
</li>
<li>
<p>
<strong>140:23</strong> (sip) empty Content-type header
</p>
</li>
<li>
<p>
<strong>140:24</strong> (sip) SIP version is invalid
</p>
</li>
<li>
<p>
<strong>140:25</strong> (sip) mismatch in METHOD of request and the CSEQ header
</p>
</li>
<li>
<p>
<strong>140:26</strong> (sip) method is unknown
</p>
</li>
<li>
<p>
<strong>140:27</strong> (sip) maximum dialogs within a session reached
</p>
</li>
<li>
<p>
<strong>141:1</strong> (imap) unknown IMAP3 command
</p>
</li>
<li>
<p>
<strong>141:2</strong> (imap) unknown IMAP3 response
</p>
</li>
<li>
<p>
<strong>141:4</strong> (imap) base64 decoding failed
</p>
</li>
<li>
<p>
<strong>141:5</strong> (imap) quoted-printable decoding failed
</p>
</li>
<li>
<p>
<strong>141:7</strong> (imap) Unix-to-Unix decoding failed
</p>
</li>
<li>
<p>
<strong>141:8</strong> (imap) file decompression failed
</p>
</li>
<li>
<p>
<strong>142:1</strong> (pop) unknown POP3 command
</p>
</li>
<li>
<p>
<strong>142:2</strong> (pop) unknown POP3 response
</p>
</li>
<li>
<p>
<strong>142:4</strong> (pop) base64 decoding failed
</p>
</li>
<li>
<p>
<strong>142:5</strong> (pop) quoted-printable decoding failed
</p>
</li>
<li>
<p>
<strong>142:7</strong> (pop) Unix-to-Unix decoding failed
</p>
</li>
<li>
<p>
<strong>142:8</strong> (pop) file decompression failed
</p>
</li>
<li>
<p>
<strong>143:1</strong> (gtp_inspect) message length is invalid
</p>
</li>
<li>
<p>
<strong>143:2</strong> (gtp_inspect) information element length is invalid
</p>
</li>
<li>
<p>
<strong>143:3</strong> (gtp_inspect) information elements are out of order
</p>
</li>
<li>
<p>
<strong>144:1</strong> (modbus) length in Modbus MBAP header does not match the length needed for the given function
</p>
</li>
<li>
<p>
<strong>144:2</strong> (modbus) Modbus protocol ID is non-zero
</p>
</li>
<li>
<p>
<strong>144:3</strong> (modbus) reserved Modbus function code in use
</p>
</li>
<li>
<p>
<strong>145:1</strong> (dnp3) DNP3 link-layer frame contains bad CRC
</p>
</li>
<li>
<p>
<strong>145:2</strong> (dnp3) DNP3 link-layer frame was dropped
</p>
</li>
<li>
<p>
<strong>145:3</strong> (dnp3) DNP3 transport-layer segment was dropped during reassembly
</p>
</li>
<li>
<p>
<strong>145:4</strong> (dnp3) DNP3 reassembly buffer was cleared without reassembling a complete message
</p>
</li>
<li>
<p>
<strong>145:5</strong> (dnp3) DNP3 link-layer frame uses a reserved address
</p>
</li>
<li>
<p>
<strong>145:6</strong> (dnp3) DNP3 application-layer fragment uses a reserved function code
</p>
</li>
<li>
<p>
<strong>175:1</strong> (domain_filter) configured domain detected
</p>
</li>
<li>
<p>
<strong>256:1</strong> (dpx) too much data sent to port
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_command_set">Command Set</h3>
<div class="ulist"><ul>
<li>
<p>
<strong>appid.enable_debug</strong>(proto, src_ip, src_port, dst_ip, dst_port): enable appid debugging
</p>
</li>
<li>
<p>
<strong>appid.disable_debug</strong>(): disable appid debugging
</p>
</li>
<li>
<p>
<strong>host_cache.dump</strong>(file_name): dump host cache
</p>
</li>
<li>
<p>
<strong>packet_capture.enable</strong>(filter): dump raw packets
</p>
</li>
<li>
<p>
<strong>packet_capture.disable</strong>(): stop packet dump
</p>
</li>
<li>
<p>
<strong>packet_tracer.enable</strong>(proto, src_ip, src_port, dst_ip, dst_port): enable packet tracer debugging
</p>
</li>
<li>
<p>
<strong>packet_tracer.disable</strong>(): disable packet tracer
</p>
</li>
<li>
<p>
<strong>snort.show_plugins</strong>(): show available plugins
</p>
</li>
<li>
<p>
<strong>snort.delete_inspector</strong>(inspector): delete an inspector from the default policy
</p>
</li>
<li>
<p>
<strong>snort.dump_stats</strong>(): show summary statistics
</p>
</li>
<li>
<p>
<strong>snort.rotate_stats</strong>(): roll perfmonitor log files
</p>
</li>
<li>
<p>
<strong>snort.reload_config</strong>(filename): load new configuration
</p>
</li>
<li>
<p>
<strong>snort.reload_policy</strong>(filename): reload part or all of the default policy
</p>
</li>
<li>
<p>
<strong>snort.reload_module</strong>(module): reload module
</p>
</li>
<li>
<p>
<strong>snort.reload_daq</strong>(): reload daq module
</p>
</li>
<li>
<p>
<strong>snort.reload_hosts</strong>(filename): load a new hosts table
</p>
</li>
<li>
<p>
<strong>snort.pause</strong>(): suspend packet processing
</p>
</li>
<li>
<p>
<strong>snort.resume</strong>(pkt_num): continue packet processing. If number of packet is specified, will resume for n packets and pause
</p>
</li>
<li>
<p>
<strong>snort.detach</strong>(): exit shell w/o shutdown
</p>
</li>
<li>
<p>
<strong>snort.quit</strong>(): shutdown and dump-stats
</p>
</li>
<li>
<p>
<strong>snort.help</strong>(): this output
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_signals_2">Signals</h3>
<div class="admonitionblock">
<table><tr>
<td class="icon">
<img src="./images/icons/important.png" alt="Important" />
</td>
<td class="content">Signal numbers are for the system that generated this
documentation and are not applicable elsewhere.</td>
</tr></table>
</div>
<div class="ulist"><ul>
<li>
<p>
<strong>term</strong>(15): shutdown normally
</p>
</li>
<li>
<p>
<strong>int</strong>(2): shutdown normally
</p>
</li>
<li>
<p>
<strong>quit</strong>(3): shutdown as if started with --dirty-pig
</p>
</li>
<li>
<p>
<strong>stats</strong>(10): dump stats to stdout
</p>
</li>
<li>
<p>
<strong>rotate</strong>(12): rotate stats files
</p>
</li>
<li>
<p>
<strong>reload</strong>(1): reload config file
</p>
</li>
<li>
<p>
<strong>hosts</strong>(23): reload hosts file
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_configuration_changes">Configuration Changes</h3>
<div class="listingblock">
<div class="content">
<pre><code>change -&gt;  dynamicdetection ==&gt; 'snort.--plugin_path=&lt;path&gt;'
change -&gt;  dynamicengine ==&gt; 'snort.--plugin_path=&lt;path&gt;'
change -&gt;  dynamicpreprocessor ==&gt; 'snort.--plugin_path=&lt;path&gt;'
change -&gt;  dynamicsidechannel ==&gt; 'snort.--plugin_path=&lt;path&gt;'
change -&gt; attribute_table: 'STREAM_POLICY' ==&gt; 'hosts: tcp_policy'
change -&gt; attribute_table: 'filename &lt;file_name&gt;' ==&gt; 'hosts[]'
change -&gt; config ' addressspace_agnostic'  ==&gt; ' packets. address_space_agnostic'
change -&gt; config ' checksum_mode'  ==&gt; ' network. checksum_eval'
change -&gt; config ' daq_dir'  ==&gt; ' daq. module_dirs, true'
change -&gt; config ' detection_filter'  ==&gt; ' alerts. detection_filter_memcap'
change -&gt; config ' enable_deep_teredo_inspection'  ==&gt; ' udp. deep_teredo_inspection'
change -&gt; config ' event_filter'  ==&gt; ' alerts. event_filter_memcap'
change -&gt; config ' max_attribute_hosts'  ==&gt; ' attribute_table. max_hosts'
change -&gt; config ' max_attribute_services_per_host'  ==&gt; ' attribute_table. max_services_per_host'
change -&gt; config ' nopcre'  ==&gt; ' detection. pcre_enable'
change -&gt; config ' pkt_count'  ==&gt; ' packets. limit'
change -&gt; config ' rate_filter'  ==&gt; ' alerts. rate_filter_memcap'
change -&gt; config ' react'  ==&gt; ' react. page'
change -&gt; config ' threshold'  ==&gt; ' alerts. event_filter_memcap'
change -&gt; converter: 'gen_id' ==&gt; 'gid'
change -&gt; converter: 'sid_id' ==&gt; 'sid'
change -&gt; csv: 'csv' ==&gt; 'fields'
change -&gt; csv: 'dgmlen' ==&gt; 'pkt_len'
change -&gt; csv: 'dst' ==&gt; 'dst_addr'
change -&gt; csv: 'dstport' ==&gt; 'dst_port'
change -&gt; csv: 'ethdst' ==&gt; 'eth_dst'
change -&gt; csv: 'ethlen' ==&gt; 'eth_len'
change -&gt; csv: 'ethsrc' ==&gt; 'eth_src'
change -&gt; csv: 'ethtype' ==&gt; 'eth_type'
change -&gt; csv: 'icmpcode' ==&gt; 'icmp_code'
change -&gt; csv: 'icmpid' ==&gt; 'icmp_id'
change -&gt; csv: 'icmpseq' ==&gt; 'icmp_seq'
change -&gt; csv: 'icmptype' ==&gt; 'icmp_type'
change -&gt; csv: 'id' ==&gt; 'ip_id'
change -&gt; csv: 'iplen' ==&gt; 'ip_len'
change -&gt; csv: 'sig_generator' ==&gt; 'gid'
change -&gt; csv: 'sig_id' ==&gt; 'sid'
change -&gt; csv: 'sig_rev' ==&gt; 'rev'
change -&gt; csv: 'src' ==&gt; 'src_addr'
change -&gt; csv: 'srcport' ==&gt; 'src_port'
change -&gt; csv: 'tcpack' ==&gt; 'tcp_ack'
change -&gt; csv: 'tcpflags' ==&gt; 'tcp_flags'
change -&gt; csv: 'tcplen' ==&gt; 'tcp_len'
change -&gt; csv: 'tcpseq' ==&gt; 'tcp_seq'
change -&gt; csv: 'tcpwindow' ==&gt; 'tcp_win'
change -&gt; csv: 'udplength' ==&gt; 'udp_len'
change -&gt; daq: 'config daq:' ==&gt; 'name'
change -&gt; daq_mode: 'config daq_mode:' ==&gt; 'mode'
change -&gt; daq_var: 'config daq_var:' ==&gt; 'variables'
change -&gt; detection: 'ac' ==&gt; 'ac_full'
change -&gt; detection: 'ac-banded' ==&gt; 'ac_banded'
change -&gt; detection: 'ac-bnfa' ==&gt; 'ac_bnfa'
change -&gt; detection: 'ac-bnfa-nq' ==&gt; 'ac_bnfa'
change -&gt; detection: 'ac-bnfa-q' ==&gt; 'ac_bnfa'
change -&gt; detection: 'ac-nq' ==&gt; 'ac_full'
change -&gt; detection: 'ac-q' ==&gt; 'ac_full'
change -&gt; detection: 'ac-sparsebands' ==&gt; 'ac_sparse_bands'
change -&gt; detection: 'ac-split' ==&gt; 'ac_full'
change -&gt; detection: 'ac-split' ==&gt; 'split_any_any'
change -&gt; detection: 'ac-std' ==&gt; 'ac_std'
change -&gt; detection: 'acs' ==&gt; 'ac_sparse'
change -&gt; detection: 'bleedover-port-limit' ==&gt; 'bleedover_port_limit'
change -&gt; detection: 'debug-print-fast-pattern' ==&gt; 'show_fast_patterns'
change -&gt; detection: 'intel-cpm' ==&gt; 'hyperscan'
change -&gt; detection: 'lowmem-nq' ==&gt; 'lowmem'
change -&gt; detection: 'lowmem-q' ==&gt; 'lowmem'
change -&gt; detection: 'max-pattern-len' ==&gt; 'max_pattern_len'
change -&gt; detection: 'no_stream_inserts' ==&gt; 'detect_raw_tcp'
change -&gt; detection: 'search-method' ==&gt; 'search_method'
change -&gt; detection: 'search-optimize' ==&gt; 'search_optimize'
change -&gt; detection: 'split-any-any' ==&gt; 'split_any_any = true by default'
change -&gt; detection: 'split-any-any' ==&gt; 'split_any_any'
change -&gt; dnp3: 'ports' ==&gt; 'bindings'
change -&gt; dns: 'ports' ==&gt; 'bindings'
change -&gt; event_filter: 'gen_id' ==&gt; 'gid'
change -&gt; event_filter: 'sig_id' ==&gt; 'sid'
change -&gt; event_filter: 'threshold' ==&gt; 'event_filter'
change -&gt; file: 'config file: file_block_timeout' ==&gt; 'block_timeout'
change -&gt; file: 'config file: file_capture_block_size' ==&gt; 'capture_block_size'
change -&gt; file: 'config file: file_capture_max' ==&gt; 'capture_max_size'
change -&gt; file: 'config file: file_capture_memcap' ==&gt; 'capture_memcap'
change -&gt; file: 'config file: file_capture_min' ==&gt; 'capture_min_size'
change -&gt; file: 'config file: file_type_depth' ==&gt; 'type_depth'
change -&gt; file: 'config file: signature' ==&gt; 'enable_signature'
change -&gt; file: 'config file: type_id' ==&gt; 'enable_type'
change -&gt; file: 'ver' ==&gt; 'version'
change -&gt; frag3_engine: 'min_fragment_length' ==&gt; 'min_frag_length'
change -&gt; frag3_engine: 'overlap_limit' ==&gt; 'max_overlaps'
change -&gt; frag3_engine: 'policy bsd-right' ==&gt; 'policy = bsd_right'
change -&gt; frag3_engine: 'timeout' ==&gt; 'session_timeout'
change -&gt; ftp_telnet_protocol: 'alt_max_param_len' ==&gt; 'cmd_validity'
change -&gt; ftp_telnet_protocol: 'data_chan' ==&gt; 'ignore_data_chan'
change -&gt; ftp_telnet_protocol: 'ports' ==&gt; 'bindings'
change -&gt; gtp: 'ports' ==&gt; 'bindings'
change -&gt; http_inspect_server: 'bare_byte' ==&gt; 'utf8_bare_byte'
change -&gt; http_inspect_server: 'client_flow_depth' ==&gt; 'request_depth'
change -&gt; http_inspect_server: 'double_decode' ==&gt; 'iis_double_decode'
change -&gt; http_inspect_server: 'http_inspect_server' ==&gt; 'http_inspect'
change -&gt; http_inspect_server: 'iis_backslash' ==&gt; 'backslash_to_slash'
change -&gt; http_inspect_server: 'inspect_gzip' ==&gt; 'unzip'
change -&gt; http_inspect_server: 'non_rfc_char' ==&gt; 'bad_characters'
change -&gt; http_inspect_server: 'ports' ==&gt; 'bindings'
change -&gt; http_inspect_server: 'u_encode' ==&gt; 'percent_u'
change -&gt; http_inspect_server: 'utf_8' ==&gt; 'utf8'
change -&gt; imap: 'ports' ==&gt; 'bindings'
change -&gt; modbus: 'ports' ==&gt; 'bindings'
change -&gt; na_policy_mode: 'na_policy_mode' ==&gt; 'mode'
change -&gt; nap_selector: 'nap rules' ==&gt; 'bindings'
change -&gt; paf_max: 'paf_max [0:63780]' ==&gt; 'max_pdu [1460:32768]'
change -&gt; perfmonitor: 'console' ==&gt; 'format = 'text''
change -&gt; perfmonitor: 'console' ==&gt; 'output = 'console''
change -&gt; perfmonitor: 'file' ==&gt; 'format = 'csv''
change -&gt; perfmonitor: 'file' ==&gt; 'output = 'file''
change -&gt; perfmonitor: 'flow-file' ==&gt; 'format = 'csv''
change -&gt; perfmonitor: 'flow-file' ==&gt; 'output = 'file''
change -&gt; perfmonitor: 'flow-ip' ==&gt; 'flow_ip'
change -&gt; perfmonitor: 'flow-ip-file' ==&gt; 'format = 'csv''
change -&gt; perfmonitor: 'flow-ip-file' ==&gt; 'output = 'file''
change -&gt; perfmonitor: 'flow-ip-memcap' ==&gt; 'flow_ip_memcap'
change -&gt; perfmonitor: 'flow-ports' ==&gt; 'flow_ports'
change -&gt; perfmonitor: 'pktcnt' ==&gt; 'packets'
change -&gt; perfmonitor: 'snortfile' ==&gt; 'format = 'csv''
change -&gt; perfmonitor: 'snortfile' ==&gt; 'output = 'file''
change -&gt; perfmonitor: 'time' ==&gt; 'seconds'
change -&gt; policy_mode: 'inline_test' ==&gt; 'inline-test'
change -&gt; pop: 'ports' ==&gt; 'bindings'
change -&gt; ppm: ''both'' ==&gt; ''alert_and_log''
change -&gt; ppm: 'fastpath-expensive-packets' ==&gt; 'packet.fastpath'
change -&gt; ppm: 'max-pkt-time' ==&gt; 'packet.max_time'
change -&gt; ppm: 'max-rule-time' ==&gt; 'rule.max_time'
change -&gt; ppm: 'pkt-log' ==&gt; 'packet.action'
change -&gt; ppm: 'ppm' ==&gt; 'latency'
change -&gt; ppm: 'rule-log' ==&gt; 'rule.action'
change -&gt; ppm: 'suspend-expensive-rules' ==&gt; 'rule.suspend'
change -&gt; ppm: 'suspend-timeout' ==&gt; 'max_suspend_time'
change -&gt; ppm: 'threshold' ==&gt; 'rule.suspend_threshold'
change -&gt; preprocessor 'normalize_ icmp4' ==&gt; 'normalize. icmp4'
change -&gt; preprocessor 'normalize_ icmp6' ==&gt; 'normalize. icmp6'
change -&gt; preprocessor 'normalize_ ip6' ==&gt; 'normalize. ip6'
change -&gt; profile: 'print' ==&gt; 'count'
change -&gt; profile: 'sort avg_ticks' ==&gt; 'sort = avg_check'
change -&gt; profile: 'sort total_ticks' ==&gt; 'sort = total_time'
change -&gt; rate_filter: 'gen_id' ==&gt; 'gid'
change -&gt; rate_filter: 'sig_id' ==&gt; 'sid'
change -&gt; reputation: 'shared_mem' ==&gt; 'list_dir'
change -&gt; rule_state: 'enabled/disabled' ==&gt; 'enable'
change -&gt; rule_state: 'sdrop' ==&gt; 'drop'
change -&gt; sfportscan: 'proto' ==&gt; 'protos'
change -&gt; sfportscan: 'scan_type' ==&gt; 'scan_types'
change -&gt; sip: 'ports' ==&gt; 'bindings'
change -&gt; smtp: 'ports' ==&gt; 'bindings'
change -&gt; ssh: 'server_ports' ==&gt; 'bindings'
change -&gt; ssl: 'ports' ==&gt; 'bindings'
change -&gt; stream5_global: 'max_active_responses' ==&gt; 'max_responses'
change -&gt; stream5_global: 'min_response_seconds' ==&gt; 'min_interval'
change -&gt; stream5_global: 'tcp_cache_nominal_timeout' ==&gt; 'idle_timeout'
change -&gt; stream5_global: 'udp_cache_nominal_timeout' ==&gt; 'idle_timeout'
change -&gt; stream5_ha: 'min_session_lifetime' ==&gt; 'min_age'
change -&gt; stream5_ha: 'min_sync_interval' ==&gt; 'min_sync'
change -&gt; stream5_ha: 'stream5_ha' ==&gt; 'high_availability'
change -&gt; stream5_ha: 'use_daq' ==&gt; 'daq_channel'
change -&gt; stream5_ip: 'timeout' ==&gt; 'session_timeout'
change -&gt; stream5_tcp: 'bind_to' ==&gt; 'bindings'
change -&gt; stream5_tcp: 'dont_reassemble_async' ==&gt; 'reassemble_async'
change -&gt; stream5_tcp: 'max_queued_bytes' ==&gt; 'queue_limit.max_bytes'
change -&gt; stream5_tcp: 'max_queued_segs' ==&gt; 'queue_limit.max_segments'
change -&gt; stream5_tcp: 'policy hpux' ==&gt; 'stream_tcp.policy = hpux11'
change -&gt; stream5_tcp: 'timeout' ==&gt; 'session_timeout'
change -&gt; stream5_udp: 'timeout' ==&gt; 'session_timeout'
change -&gt; suppress: 'gen_id' ==&gt; 'gid'
change -&gt; suppress: 'sig_id' ==&gt; 'sid'
change -&gt; syslog: 'log_alert' ==&gt; 'level = alert'
change -&gt; syslog: 'log_auth' ==&gt; 'facility = auth'
change -&gt; syslog: 'log_authpriv' ==&gt; 'facility = authpriv'
change -&gt; syslog: 'log_cons' ==&gt; 'options = cons'
change -&gt; syslog: 'log_crit' ==&gt; 'level = crit'
change -&gt; syslog: 'log_daemon' ==&gt; 'facility = daemon'
change -&gt; syslog: 'log_debug' ==&gt; 'level = debug'
change -&gt; syslog: 'log_emerg' ==&gt; 'level = emerg'
change -&gt; syslog: 'log_err' ==&gt; 'level = err'
change -&gt; syslog: 'log_info' ==&gt; 'level = info'
change -&gt; syslog: 'log_local0' ==&gt; 'facility = local0'
change -&gt; syslog: 'log_local1' ==&gt; 'facility = local1'
change -&gt; syslog: 'log_local2' ==&gt; 'facility = local2'
change -&gt; syslog: 'log_local3' ==&gt; 'facility = local3'
change -&gt; syslog: 'log_local4' ==&gt; 'facility = local4'
change -&gt; syslog: 'log_local5' ==&gt; 'facility = local5'
change -&gt; syslog: 'log_local6' ==&gt; 'facility = local6'
change -&gt; syslog: 'log_local7' ==&gt; 'facility = local7'
change -&gt; syslog: 'log_ndelay' ==&gt; 'options = ndelay'
change -&gt; syslog: 'log_notice' ==&gt; 'level = notice'
change -&gt; syslog: 'log_perror' ==&gt; 'options = perror'
change -&gt; syslog: 'log_pid' ==&gt; 'options = pid'
change -&gt; syslog: 'log_user' ==&gt; 'facility = user'
change -&gt; syslog: 'log_warning' ==&gt; 'level = warning'
change -&gt; threshold: 'ips_option: threshold' ==&gt; 'event_filter'
change -&gt; unified2: ' alert_unified2' ==&gt; 'unified2'
change -&gt; unified2: ' log_unified2' ==&gt; 'unified2'
change -&gt; unified2: ' unified2' ==&gt; 'unified2'
deleted -&gt; arpspoof: 'unicast'
deleted -&gt; attribute_table: '&lt;FRAG_POLICY&gt;hpux&lt;/FRAG_POLICY&gt;'
deleted -&gt; attribute_table: '&lt;FRAG_POLICY&gt;irix&lt;/FRAG_POLICY&gt;'
deleted -&gt; attribute_table: '&lt;FRAG_POLICY&gt;old-linux&lt;/FRAG_POLICY&gt;'
deleted -&gt; attribute_table: '&lt;FRAG_POLICY&gt;unknown&lt;/FRAG_POLICY&gt;'
deleted -&gt; attribute_table: '&lt;STREAM_POLICY&gt;noack&lt;/STREAM_POLICY&gt;'
deleted -&gt; attribute_table: '&lt;STREAM_POLICY&gt;unknown&lt;/STREAM_POLICY&gt;'
deleted -&gt; config ' cs_dir'
deleted -&gt; config ' decode_data_link'
deleted -&gt; config ' disable_attribute_reload_thread'
deleted -&gt; config ' disable_decode_alerts'
deleted -&gt; config ' disable_decode_drops'
deleted -&gt; config ' disable_inline_init_failopen'
deleted -&gt; config ' disable_ipopt_alerts'
deleted -&gt; config ' disable_ipopt_drops'
deleted -&gt; config ' disable_tcpopt_alerts'
deleted -&gt; config ' disable_tcpopt_drops'
deleted -&gt; config ' disable_tcpopt_experimental_alerts'
deleted -&gt; config ' disable_tcpopt_experimental_drops'
deleted -&gt; config ' disable_tcpopt_obsolete_alerts'
deleted -&gt; config ' disable_tcpopt_obsolete_drops'
deleted -&gt; config ' disable_tcpopt_ttcp_alerts'
deleted -&gt; config ' disable_ttcp_alerts'
deleted -&gt; config ' disable_ttcp_drops'
deleted -&gt; config ' dump_dynamic_rules_path'
deleted -&gt; config ' enable_decode_drops'
deleted -&gt; config ' enable_decode_oversized_alerts'
deleted -&gt; config ' enable_decode_oversized_drops'
deleted -&gt; config ' enable_ipopt_drops'
deleted -&gt; config ' enable_tcpopt_drops'
deleted -&gt; config ' enable_tcpopt_experimental_drops'
deleted -&gt; config ' enable_tcpopt_obsolete_drops'
deleted -&gt; config ' enable_tcpopt_ttcp_drops'
deleted -&gt; config ' enable_ttcp_drops'
deleted -&gt; config ' flexresp2_attempts'
deleted -&gt; config ' flexresp2_interface'
deleted -&gt; config ' flexresp2_memcap'
deleted -&gt; config ' flexresp2_rows'
deleted -&gt; config ' flowbits_size'
deleted -&gt; config ' include_vlan_in_alerts'
deleted -&gt; config ' interface'
deleted -&gt; config ' layer2resets'
deleted -&gt; config ' log_ipv6_extra_data'
deleted -&gt; config ' no_promisc'
deleted -&gt; config ' nolog'
deleted -&gt; config ' protected_content'
deleted -&gt; config ' sidechannel'
deleted -&gt; config ' so_rule_memcap'
deleted -&gt; config 'dynamicoutput'
deleted -&gt; config 'sfalert_unified2'
deleted -&gt; config 'sflog_unified2'
deleted -&gt; config 'sidechannel'
deleted -&gt; csv: '&lt;filename&gt; can no longer be specific'
deleted -&gt; csv: 'default'
deleted -&gt; csv: 'trheader'
deleted -&gt; detection: 'mwm'
deleted -&gt; dnp3: 'disabled'
deleted -&gt; dnp3: 'memcap'
deleted -&gt; dns: 'enable_experimental_types'
deleted -&gt; dns: 'enable_obsolete_types'
deleted -&gt; dns: 'enable_rdata_overflow'
deleted -&gt; event_trace: 'file'
deleted -&gt; fast: '&lt;filename&gt; can no longer be specific'
deleted -&gt; frag3_engine: 'detect_anomalies'
deleted -&gt; frag3_global: 'disabled'
deleted -&gt; ftp_telnet_protocol: 'detect_anomalies'
deleted -&gt; full: '&lt;filename&gt; can no longer be specific'
deleted -&gt; http_inspect: 'detect_anomalous_servers'
deleted -&gt; http_inspect: 'disabled'
deleted -&gt; http_inspect: 'proxy_alert'
deleted -&gt; http_inspect_server: 'allow_proxy_use'
deleted -&gt; http_inspect_server: 'enable_cookie'
deleted -&gt; http_inspect_server: 'enable_xff'
deleted -&gt; http_inspect_server: 'extended_ascii_uri'
deleted -&gt; http_inspect_server: 'extended_response_inspection'
deleted -&gt; http_inspect_server: 'iis_unicode_map not allowed in sever'
deleted -&gt; http_inspect_server: 'inspect_uri_only'
deleted -&gt; http_inspect_server: 'log_hostname'
deleted -&gt; http_inspect_server: 'log_uri'
deleted -&gt; http_inspect_server: 'no_alerts'
deleted -&gt; http_inspect_server: 'no_pipeline_req'
deleted -&gt; http_inspect_server: 'non_strict'
deleted -&gt; http_inspect_server: 'normalize_cookies'
deleted -&gt; http_inspect_server: 'normalize_headers'
deleted -&gt; http_inspect_server: 'small_chunk_length'
deleted -&gt; http_inspect_server: 'tab_uri_delimiter'
deleted -&gt; http_inspect_server: 'unlimited_decompress'
deleted -&gt; imap: 'disabled'
deleted -&gt; imap: 'max_mime_mem'
deleted -&gt; imap: 'memcap'
deleted -&gt; nap_selector: 'fw_required'
deleted -&gt; nap_selector: 'nap_stats_time'
deleted -&gt; perfmonitor: 'accumulate'
deleted -&gt; perfmonitor: 'atexitonly'
deleted -&gt; perfmonitor: 'atexitonly: base-stats'
deleted -&gt; perfmonitor: 'atexitonly: events-stats'
deleted -&gt; perfmonitor: 'atexitonly: flow-ip-stats'
deleted -&gt; perfmonitor: 'atexitonly: flow-stats'
deleted -&gt; perfmonitor: 'atexitonly: reset'
deleted -&gt; perfmonitor: 'events'
deleted -&gt; perfmonitor: 'max'
deleted -&gt; pop: 'disabled'
deleted -&gt; pop: 'max_mime_mem'
deleted -&gt; pop: 'memcap'
deleted -&gt; ppm: 'debug-pkts'
deleted -&gt; react: 'block'
deleted -&gt; react: 'warn'
deleted -&gt; reputation: 'shared_max_instances'
deleted -&gt; reputation: 'shared_refresh'
deleted -&gt; rpc_decode: 'alert_fragments'
deleted -&gt; rpc_decode: 'no_alert_incomplete'
deleted -&gt; rpc_decode: 'no_alert_large_fragments'
deleted -&gt; rpc_decode: 'no_alert_multiple_requests'
deleted -&gt; sfportscan: 'detect_ack_scans'
deleted -&gt; sfportscan: 'disabled'
deleted -&gt; sfportscan: 'logfile'
deleted -&gt; sfportscan: 'sense_level'
deleted -&gt; sfunified2: 'mpls_event_types'
deleted -&gt; sfunified2: 'vlan_event_types'
deleted -&gt; sip: 'disabled'
deleted -&gt; sip: 'max_sessions'
deleted -&gt; smtp: 'alert_unknown_cmds'
deleted -&gt; smtp: 'disabled'
deleted -&gt; smtp: 'enable_mime_decoding'
deleted -&gt; smtp: 'inspection_type'
deleted -&gt; smtp: 'max_mime_depth'
deleted -&gt; smtp: 'max_mime_mem'
deleted -&gt; smtp: 'memcap'
deleted -&gt; smtp: 'no_alerts'
deleted -&gt; smtp: 'print_cmds'
deleted -&gt; ssh: 'autodetect'
deleted -&gt; ssh: 'enable_badmsgdir'
deleted -&gt; ssh: 'enable_paysize'
deleted -&gt; ssh: 'enable_protomismatch'
deleted -&gt; ssh: 'enable_recognition'
deleted -&gt; ssh: 'enable_respoverflow'
deleted -&gt; ssh: 'enable_srvoverflow'
deleted -&gt; ssh: 'enable_ssh1crc32'
deleted -&gt; ssl: 'noinspect_encrypted'
deleted -&gt; stream5_global: 'disabled'
deleted -&gt; stream5_global: 'flush_on_alert'
deleted -&gt; stream5_global: 'memcap'
deleted -&gt; stream5_global: 'no_midstream_drop_alerts'
deleted -&gt; stream5_tcp: 'check_session_hijacking'
deleted -&gt; stream5_tcp: 'detect_anomalies'
deleted -&gt; stream5_tcp: 'dont_store_large_packets'
deleted -&gt; stream5_tcp: 'ignore_any_rules'
deleted -&gt; stream5_tcp: 'log_asymmetric_traffic'
deleted -&gt; stream5_tcp: 'policy noack'
deleted -&gt; stream5_tcp: 'policy unknown'
deleted -&gt; stream5_udp: 'ignore_any_rules'
deleted -&gt; tcpdump: '&lt;filename&gt; can no longer be specific'
deleted -&gt; test: 'file'
deleted -&gt; test: 'stdout'
deleted -&gt; unified2: 'filename'
deleted -&gt; unified2: 'mpls_event_types'
deleted -&gt; unified2: 'vlan_event_types'</code></pre>
</div></div>
</div>
<div class="sect2">
<h3 id="_module_listing">Module Listing</h3>
<div class="ulist"><ul>
<li>
<p>
<strong>ack</strong> (ips_option): rule option to match on TCP ack numbers
</p>
</li>
<li>
<p>
<strong>active</strong> (basic): configure responses
</p>
</li>
<li>
<p>
<strong>alert_csv</strong> (logger): output event in csv format
</p>
</li>
<li>
<p>
<strong>alert_ex</strong> (logger): output gid:sid:rev for alerts
</p>
</li>
<li>
<p>
<strong>alert_fast</strong> (logger): output event with brief text format
</p>
</li>
<li>
<p>
<strong>alert_full</strong> (logger): output event with full packet dump
</p>
</li>
<li>
<p>
<strong>alert_json</strong> (logger): output event in json format
</p>
</li>
<li>
<p>
<strong>alert_sfsocket</strong> (logger): output event over socket
</p>
</li>
<li>
<p>
<strong>alert_syslog</strong> (logger): output event to syslog
</p>
</li>
<li>
<p>
<strong>alert_talos</strong> (logger): output event in Talos alert format
</p>
</li>
<li>
<p>
<strong>alert_unixsock</strong> (logger): output event over unix socket
</p>
</li>
<li>
<p>
<strong>alerts</strong> (basic): configure alerts
</p>
</li>
<li>
<p>
<strong>appid</strong> (inspector): application and service identification
</p>
</li>
<li>
<p>
<strong>appids</strong> (ips_option): detection option for application ids
</p>
</li>
<li>
<p>
<strong>arp</strong> (codec): support for address resolution protocol
</p>
</li>
<li>
<p>
<strong>arp_spoof</strong> (inspector): detect ARP attacks and anomalies
</p>
</li>
<li>
<p>
<strong>asn1</strong> (ips_option): rule option for asn1 detection
</p>
</li>
<li>
<p>
<strong>attribute_table</strong> (basic): configure hosts loading
</p>
</li>
<li>
<p>
<strong>auth</strong> (codec): support for IP authentication header
</p>
</li>
<li>
<p>
<strong>back_orifice</strong> (inspector): back orifice detection
</p>
</li>
<li>
<p>
<strong>base64_decode</strong> (ips_option): rule option to decode base64 data - must be used with base64_data option
</p>
</li>
<li>
<p>
<strong>ber_data</strong> (ips_option): rule option to move to the data for a specified BER element
</p>
</li>
<li>
<p>
<strong>ber_skip</strong> (ips_option): rule option to skip BER element
</p>
</li>
<li>
<p>
<strong>binder</strong> (inspector): configure processing based on CIDRs, ports, services, etc.
</p>
</li>
<li>
<p>
<strong>bufferlen</strong> (ips_option): rule option to check length of current buffer
</p>
</li>
<li>
<p>
<strong>byte_extract</strong> (ips_option): rule option to convert data to an integer variable
</p>
</li>
<li>
<p>
<strong>byte_jump</strong> (ips_option): rule option to move the detection cursor
</p>
</li>
<li>
<p>
<strong>byte_math</strong> (ips_option): rule option to perform mathematical operations on extracted value and a specified value or existing variable
</p>
</li>
<li>
<p>
<strong>byte_test</strong> (ips_option): rule option to convert data to integer and compare
</p>
</li>
<li>
<p>
<strong>ciscometadata</strong> (codec): support for cisco metadata
</p>
</li>
<li>
<p>
<strong>classifications</strong> (basic): define rule categories with priority
</p>
</li>
<li>
<p>
<strong>classtype</strong> (ips_option): general rule option for rule classification
</p>
</li>
<li>
<p>
<strong>content</strong> (ips_option): payload rule option for basic pattern matching
</p>
</li>
<li>
<p>
<strong>cvs</strong> (ips_option): payload rule option for detecting specific attacks
</p>
</li>
<li>
<p>
<strong>daq</strong> (basic): configure packet acquisition interface
</p>
</li>
<li>
<p>
<strong>data_log</strong> (inspector): log selected published data to data.log
</p>
</li>
<li>
<p>
<strong>dce_http_proxy</strong> (inspector): dce over http inspection - client to/from proxy
</p>
</li>
<li>
<p>
<strong>dce_http_server</strong> (inspector): dce over http inspection - proxy to/from server
</p>
</li>
<li>
<p>
<strong>dce_iface</strong> (ips_option): detection option to check dcerpc interface
</p>
</li>
<li>
<p>
<strong>dce_opnum</strong> (ips_option): detection option to check dcerpc operation number
</p>
</li>
<li>
<p>
<strong>dce_smb</strong> (inspector): dce over smb inspection
</p>
</li>
<li>
<p>
<strong>dce_stub_data</strong> (ips_option): sets the cursor to dcerpc stub data
</p>
</li>
<li>
<p>
<strong>dce_tcp</strong> (inspector): dce over tcp inspection
</p>
</li>
<li>
<p>
<strong>dce_udp</strong> (inspector): dce over udp inspection
</p>
</li>
<li>
<p>
<strong>decode</strong> (basic): general decoder rules
</p>
</li>
<li>
<p>
<strong>detection</strong> (basic): configure general IPS rule processing parameters
</p>
</li>
<li>
<p>
<strong>detection_filter</strong> (ips_option): rule option to require multiple hits before a rule generates an event
</p>
</li>
<li>
<p>
<strong>dnp3</strong> (inspector): dnp3 inspection
</p>
</li>
<li>
<p>
<strong>dnp3_data</strong> (ips_option): sets the cursor to dnp3 data
</p>
</li>
<li>
<p>
<strong>dnp3_func</strong> (ips_option): detection option to check DNP3 function code
</p>
</li>
<li>
<p>
<strong>dnp3_ind</strong> (ips_option): detection option to check DNP3 indicator flags
</p>
</li>
<li>
<p>
<strong>dnp3_obj</strong> (ips_option): detection option to check DNP3 object headers
</p>
</li>
<li>
<p>
<strong>dns</strong> (inspector): dns inspection
</p>
</li>
<li>
<p>
<strong>domain_filter</strong> (inspector): alert on configured HTTP domains
</p>
</li>
<li>
<p>
<strong>dpx</strong> (inspector): dynamic inspector example
</p>
</li>
<li>
<p>
<strong>dsize</strong> (ips_option): rule option to test payload size
</p>
</li>
<li>
<p>
<strong>eapol</strong> (codec): support for extensible authentication protocol over LAN
</p>
</li>
<li>
<p>
<strong>erspan2</strong> (codec): support for encapsulated remote switched port analyzer - type 2
</p>
</li>
<li>
<p>
<strong>erspan3</strong> (codec): support for encapsulated remote switched port analyzer - type 3
</p>
</li>
<li>
<p>
<strong>esp</strong> (codec): support for encapsulating security payload
</p>
</li>
<li>
<p>
<strong>eth</strong> (codec): support for ethernet protocol (DLT 1) (DLT 51)
</p>
</li>
<li>
<p>
<strong>event_filter</strong> (basic): configure thresholding of events
</p>
</li>
<li>
<p>
<strong>event_queue</strong> (basic): configure event queue parameters
</p>
</li>
<li>
<p>
<strong>fabricpath</strong> (codec): support for fabricpath
</p>
</li>
<li>
<p>
<strong>file_connector</strong> (connector): implement the file based connector
</p>
</li>
<li>
<p>
<strong>file_data</strong> (ips_option): rule option to set detection cursor to file data
</p>
</li>
<li>
<p>
<strong>file_id</strong> (inspector): configure file identification
</p>
</li>
<li>
<p>
<strong>file_log</strong> (inspector): log file event to file.log
</p>
</li>
<li>
<p>
<strong>file_type</strong> (ips_option): rule option to check file type
</p>
</li>
<li>
<p>
<strong>finalize_packet</strong> (inspector): handle the finalize packet event
</p>
</li>
<li>
<p>
<strong>flags</strong> (ips_option): rule option to test TCP control flags
</p>
</li>
<li>
<p>
<strong>flow</strong> (ips_option): rule option to check session properties
</p>
</li>
<li>
<p>
<strong>flowbits</strong> (ips_option): rule option to set and test arbitrary boolean flags
</p>
</li>
<li>
<p>
<strong>fragbits</strong> (ips_option): rule option to test IP frag flags
</p>
</li>
<li>
<p>
<strong>fragoffset</strong> (ips_option): rule option to test IP frag offset
</p>
</li>
<li>
<p>
<strong>ftp_client</strong> (inspector): FTP client configuration module for use with ftp_server
</p>
</li>
<li>
<p>
<strong>ftp_data</strong> (inspector): FTP data channel handler
</p>
</li>
<li>
<p>
<strong>ftp_server</strong> (inspector): main FTP module; ftp_client should also be configured
</p>
</li>
<li>
<p>
<strong>gid</strong> (ips_option): rule option specifying rule generator
</p>
</li>
<li>
<p>
<strong>gre</strong> (codec): support for generic routing encapsulation
</p>
</li>
<li>
<p>
<strong>gtp</strong> (codec): support for general-packet-radio-service tunneling protocol
</p>
</li>
<li>
<p>
<strong>gtp_info</strong> (ips_option): rule option to check gtp info element
</p>
</li>
<li>
<p>
<strong>gtp_inspect</strong> (inspector): gtp control channel inspection
</p>
</li>
<li>
<p>
<strong>gtp_type</strong> (ips_option): rule option to check gtp types
</p>
</li>
<li>
<p>
<strong>gtp_version</strong> (ips_option): rule option to check GTP version
</p>
</li>
<li>
<p>
<strong>high_availability</strong> (basic): implement flow tracking high availability
</p>
</li>
<li>
<p>
<strong>host_cache</strong> (basic): global LRU cache of host_tracker data about hosts
</p>
</li>
<li>
<p>
<strong>host_tracker</strong> (basic): configure hosts
</p>
</li>
<li>
<p>
<strong>hosts</strong> (basic): configure hosts
</p>
</li>
<li>
<p>
<strong>http2_decoded_header</strong> (ips_option): rule option to set detection cursor to the decoded HTTP/2 header
</p>
</li>
<li>
<p>
<strong>http2_frame_data</strong> (ips_option): rule option to set detection cursor to the HTTP/2 frame body
</p>
</li>
<li>
<p>
<strong>http2_frame_header</strong> (ips_option): rule option to set detection cursor to the 9-octet HTTP/2 frame header
</p>
</li>
<li>
<p>
<strong>http2_inspect</strong> (inspector): HTTP/2 inspector
</p>
</li>
<li>
<p>
<strong>http_client_body</strong> (ips_option): rule option to set the detection cursor to the request body
</p>
</li>
<li>
<p>
<strong>http_cookie</strong> (ips_option): rule option to set the detection cursor to the HTTP cookie
</p>
</li>
<li>
<p>
<strong>http_header</strong> (ips_option): rule option to set the detection cursor to the normalized headers
</p>
</li>
<li>
<p>
<strong>http_inspect</strong> (inspector): HTTP inspector
</p>
</li>
<li>
<p>
<strong>http_method</strong> (ips_option): rule option to set the detection cursor to the HTTP request method
</p>
</li>
<li>
<p>
<strong>http_raw_body</strong> (ips_option): rule option to set the detection cursor to the unnormalized message body
</p>
</li>
<li>
<p>
<strong>http_raw_cookie</strong> (ips_option): rule option to set the detection cursor to the unnormalized cookie
</p>
</li>
<li>
<p>
<strong>http_raw_header</strong> (ips_option): rule option to set the detection cursor to the unnormalized headers
</p>
</li>
<li>
<p>
<strong>http_raw_request</strong> (ips_option): rule option to set the detection cursor to the unnormalized request line
</p>
</li>
<li>
<p>
<strong>http_raw_status</strong> (ips_option): rule option to set the detection cursor to the unnormalized status line
</p>
</li>
<li>
<p>
<strong>http_raw_trailer</strong> (ips_option): rule option to set the detection cursor to the unnormalized trailers
</p>
</li>
<li>
<p>
<strong>http_raw_uri</strong> (ips_option): rule option to set the detection cursor to the unnormalized URI
</p>
</li>
<li>
<p>
<strong>http_stat_code</strong> (ips_option): rule option to set the detection cursor to the HTTP status code
</p>
</li>
<li>
<p>
<strong>http_stat_msg</strong> (ips_option): rule option to set the detection cursor to the HTTP status message
</p>
</li>
<li>
<p>
<strong>http_trailer</strong> (ips_option): rule option to set the detection cursor to the normalized trailers
</p>
</li>
<li>
<p>
<strong>http_true_ip</strong> (ips_option): rule option to set the detection cursor to the final client IP address
</p>
</li>
<li>
<p>
<strong>http_uri</strong> (ips_option): rule option to set the detection cursor to the normalized URI buffer
</p>
</li>
<li>
<p>
<strong>http_version</strong> (ips_option): rule option to set the detection cursor to the version buffer
</p>
</li>
<li>
<p>
<strong>icmp4</strong> (codec): support for Internet control message protocol v4
</p>
</li>
<li>
<p>
<strong>icmp6</strong> (codec): support for Internet control message protocol v6
</p>
</li>
<li>
<p>
<strong>icmp_id</strong> (ips_option): rule option to check ICMP ID
</p>
</li>
<li>
<p>
<strong>icmp_seq</strong> (ips_option): rule option to check ICMP sequence number
</p>
</li>
<li>
<p>
<strong>icode</strong> (ips_option): rule option to check ICMP code
</p>
</li>
<li>
<p>
<strong>id</strong> (ips_option): rule option to check the IP ID field
</p>
</li>
<li>
<p>
<strong>igmp</strong> (codec): support for Internet group management protocol
</p>
</li>
<li>
<p>
<strong>imap</strong> (inspector): imap inspection
</p>
</li>
<li>
<p>
<strong>inspection</strong> (basic): configure basic inspection policy parameters
</p>
</li>
<li>
<p>
<strong>ip_proto</strong> (ips_option): rule option to check the IP protocol number
</p>
</li>
<li>
<p>
<strong>ipopts</strong> (ips_option): rule option to check for IP options
</p>
</li>
<li>
<p>
<strong>ips</strong> (basic): configure IPS rule processing
</p>
</li>
<li>
<p>
<strong>ipv4</strong> (codec): support for Internet protocol v4 (DLT 228)
</p>
</li>
<li>
<p>
<strong>ipv6</strong> (codec): support for Internet protocol v6 (DLT 229)
</p>
</li>
<li>
<p>
<strong>isdataat</strong> (ips_option): rule option to check for the presence of payload data
</p>
</li>
<li>
<p>
<strong>itype</strong> (ips_option): rule option to check ICMP type
</p>
</li>
<li>
<p>
<strong>latency</strong> (basic): packet and rule latency monitoring and control
</p>
</li>
<li>
<p>
<strong>llc</strong> (codec): support for logical link control
</p>
</li>
<li>
<p>
<strong>log_codecs</strong> (logger): log protocols in packet by layer
</p>
</li>
<li>
<p>
<strong>log_hext</strong> (logger): output payload suitable for daq hext
</p>
</li>
<li>
<p>
<strong>log_pcap</strong> (logger): log packet in pcap format
</p>
</li>
<li>
<p>
<strong>md5</strong> (ips_option): payload rule option for hash matching
</p>
</li>
<li>
<p>
<strong>mem_test</strong> (inspector): for testing memory management
</p>
</li>
<li>
<p>
<strong>memory</strong> (basic): memory management configuration
</p>
</li>
<li>
<p>
<strong>metadata</strong> (ips_option): rule option for conveying arbitrary name, value data within the rule text
</p>
</li>
<li>
<p>
<strong>modbus</strong> (inspector): modbus inspection
</p>
</li>
<li>
<p>
<strong>modbus_data</strong> (ips_option): rule option to set cursor to modbus data
</p>
</li>
<li>
<p>
<strong>modbus_func</strong> (ips_option): rule option to check modbus function code
</p>
</li>
<li>
<p>
<strong>modbus_unit</strong> (ips_option): rule option to check Modbus unit ID
</p>
</li>
<li>
<p>
<strong>mpls</strong> (codec): support for multiprotocol label switching
</p>
</li>
<li>
<p>
<strong>msg</strong> (ips_option): rule option summarizing rule purpose output with events
</p>
</li>
<li>
<p>
<strong>mss</strong> (ips_option): detection for TCP maximum segment size
</p>
</li>
<li>
<p>
<strong>network</strong> (basic): configure basic network parameters
</p>
</li>
<li>
<p>
<strong>normalizer</strong> (inspector): packet scrubbing for inline mode
</p>
</li>
<li>
<p>
<strong>output</strong> (basic): configure general output parameters
</p>
</li>
<li>
<p>
<strong>packet_capture</strong> (inspector): raw packet dumping facility
</p>
</li>
<li>
<p>
<strong>packet_tracer</strong> (basic): generate debug trace messages for packets
</p>
</li>
<li>
<p>
<strong>packets</strong> (basic): configure basic packet handling
</p>
</li>
<li>
<p>
<strong>pbb</strong> (codec): support for 802.1ah protocol
</p>
</li>
<li>
<p>
<strong>pcre</strong> (ips_option): rule option for matching payload data with pcre
</p>
</li>
<li>
<p>
<strong>perf_monitor</strong> (inspector): performance monitoring and flow statistics collection
</p>
</li>
<li>
<p>
<strong>pgm</strong> (codec): support for pragmatic general multicast
</p>
</li>
<li>
<p>
<strong>pkt_data</strong> (ips_option): rule option to set the detection cursor to the normalized packet data
</p>
</li>
<li>
<p>
<strong>pkt_num</strong> (ips_option): alert on raw packet number
</p>
</li>
<li>
<p>
<strong>pop</strong> (inspector): pop inspection
</p>
</li>
<li>
<p>
<strong>port_scan</strong> (inspector): detect various ip, icmp, tcp, and udp port or protocol scans
</p>
</li>
<li>
<p>
<strong>pppoe</strong> (codec): support for point-to-point protocol over ethernet
</p>
</li>
<li>
<p>
<strong>priority</strong> (ips_option): rule option for prioritizing events
</p>
</li>
<li>
<p>
<strong>process</strong> (basic): configure basic process setup
</p>
</li>
<li>
<p>
<strong>profiler</strong> (basic): configure profiling of rules and/or modules
</p>
</li>
<li>
<p>
<strong>rate_filter</strong> (basic): configure rate filters (which change rule actions)
</p>
</li>
<li>
<p>
<strong>raw_data</strong> (ips_option): rule option to set the detection cursor to the raw packet data
</p>
</li>
<li>
<p>
<strong>react</strong> (ips_action): send response to client and terminate session
</p>
</li>
<li>
<p>
<strong>reference</strong> (ips_option): rule option to indicate relevant attack identification system
</p>
</li>
<li>
<p>
<strong>references</strong> (basic): define reference systems used in rules
</p>
</li>
<li>
<p>
<strong>regex</strong> (ips_option): rule option for matching payload data with hyperscan regex
</p>
</li>
<li>
<p>
<strong>reject</strong> (ips_action): terminate session with TCP reset or ICMP unreachable
</p>
</li>
<li>
<p>
<strong>rem</strong> (ips_option): rule option to convey an arbitrary comment in the rule body
</p>
</li>
<li>
<p>
<strong>replace</strong> (ips_option): rule option to overwrite payload data; use with rewrite action
</p>
</li>
<li>
<p>
<strong>reputation</strong> (inspector): reputation inspection
</p>
</li>
<li>
<p>
<strong>rev</strong> (ips_option): rule option to indicate current revision of signature
</p>
</li>
<li>
<p>
<strong>rewrite</strong> (ips_action): overwrite packet contents
</p>
</li>
<li>
<p>
<strong>rna</strong> (inspector): Real-time network awareness and OS fingerprinting (experimental)
</p>
</li>
<li>
<p>
<strong>rpc</strong> (ips_option): rule option to check SUNRPC CALL parameters
</p>
</li>
<li>
<p>
<strong>rpc_decode</strong> (inspector): RPC inspector
</p>
</li>
<li>
<p>
<strong>rt_global</strong> (inspector): The regression test global inspector is used for regression tests specific to a global inspector
</p>
</li>
<li>
<p>
<strong>rt_packet</strong> (inspector): The regression test packet inspector is used when special packet handling is required for a reg test
</p>
</li>
<li>
<p>
<strong>rt_service</strong> (inspector): The regression test service inspector is used by regression tests that require custom service inspector support.
</p>
</li>
<li>
<p>
<strong>rule_state</strong> (basic): enable/disable and set actions for specific IPS rules
</p>
</li>
<li>
<p>
<strong>sd_pattern</strong> (ips_option): rule option for detecting sensitive data
</p>
</li>
<li>
<p>
<strong>search_engine</strong> (basic): configure fast pattern matcher
</p>
</li>
<li>
<p>
<strong>seq</strong> (ips_option): rule option to check TCP sequence number
</p>
</li>
<li>
<p>
<strong>service</strong> (ips_option): rule option to specify list of services for grouping rules
</p>
</li>
<li>
<p>
<strong>session</strong> (ips_option): rule option to check user data from TCP sessions
</p>
</li>
<li>
<p>
<strong>sha256</strong> (ips_option): payload rule option for hash matching
</p>
</li>
<li>
<p>
<strong>sha512</strong> (ips_option): payload rule option for hash matching
</p>
</li>
<li>
<p>
<strong>sid</strong> (ips_option): rule option to indicate signature number
</p>
</li>
<li>
<p>
<strong>side_channel</strong> (basic): implement the side-channel asynchronous messaging subsystem
</p>
</li>
<li>
<p>
<strong>sip</strong> (inspector): sip inspection
</p>
</li>
<li>
<p>
<strong>sip_body</strong> (ips_option): rule option to set the detection cursor to the request body
</p>
</li>
<li>
<p>
<strong>sip_header</strong> (ips_option): rule option to set the detection cursor to the SIP header buffer
</p>
</li>
<li>
<p>
<strong>sip_method</strong> (ips_option): detection option for sip stat code
</p>
</li>
<li>
<p>
<strong>sip_stat_code</strong> (ips_option): detection option for sip stat code
</p>
</li>
<li>
<p>
<strong>smtp</strong> (inspector): smtp inspection
</p>
</li>
<li>
<p>
<strong>snort</strong> (basic): command line configuration and shell commands
</p>
</li>
<li>
<p>
<strong>so</strong> (ips_option): rule option to call custom eval function
</p>
</li>
<li>
<p>
<strong>soid</strong> (ips_option): rule option to specify a shared object rule ID
</p>
</li>
<li>
<p>
<strong>ssh</strong> (inspector): ssh inspection
</p>
</li>
<li>
<p>
<strong>ssl</strong> (inspector): ssl inspection
</p>
</li>
<li>
<p>
<strong>ssl_state</strong> (ips_option): detection option for ssl state
</p>
</li>
<li>
<p>
<strong>ssl_version</strong> (ips_option): detection option for ssl version
</p>
</li>
<li>
<p>
<strong>stream</strong> (inspector): common flow tracking
</p>
</li>
<li>
<p>
<strong>stream_file</strong> (inspector): stream inspector for file flow tracking and processing
</p>
</li>
<li>
<p>
<strong>stream_icmp</strong> (inspector): stream inspector for ICMP flow tracking
</p>
</li>
<li>
<p>
<strong>stream_ip</strong> (inspector): stream inspector for IP flow tracking and defragmentation
</p>
</li>
<li>
<p>
<strong>stream_reassemble</strong> (ips_option): detection option for stream reassembly control
</p>
</li>
<li>
<p>
<strong>stream_size</strong> (ips_option): detection option for stream size checking
</p>
</li>
<li>
<p>
<strong>stream_tcp</strong> (inspector): stream inspector for TCP flow tracking and stream normalization and reassembly
</p>
</li>
<li>
<p>
<strong>stream_udp</strong> (inspector): stream inspector for UDP flow tracking
</p>
</li>
<li>
<p>
<strong>stream_user</strong> (inspector): stream inspector for user flow tracking and reassembly
</p>
</li>
<li>
<p>
<strong>suppress</strong> (basic): configure event suppressions
</p>
</li>
<li>
<p>
<strong>tag</strong> (ips_option): rule option to log additional packets
</p>
</li>
<li>
<p>
<strong>target</strong> (ips_option): rule option to indicate target of attack
</p>
</li>
<li>
<p>
<strong>tcp</strong> (codec): support for transmission control protocol
</p>
</li>
<li>
<p>
<strong>tcp_connector</strong> (connector): implement the tcp stream connector
</p>
</li>
<li>
<p>
<strong>telnet</strong> (inspector): telnet inspection and normalization
</p>
</li>
<li>
<p>
<strong>token_ring</strong> (codec): support for token ring decoding
</p>
</li>
<li>
<p>
<strong>tos</strong> (ips_option): rule option to check type of service field
</p>
</li>
<li>
<p>
<strong>ttl</strong> (ips_option): rule option to check time to live field
</p>
</li>
<li>
<p>
<strong>udp</strong> (codec): support for user datagram protocol
</p>
</li>
<li>
<p>
<strong>unified2</strong> (logger): output event and packet in unified2 format file
</p>
</li>
<li>
<p>
<strong>urg</strong> (ips_option): detection for TCP urgent pointer
</p>
</li>
<li>
<p>
<strong>vlan</strong> (codec): support for local area network
</p>
</li>
<li>
<p>
<strong>window</strong> (ips_option): rule option to check TCP window field
</p>
</li>
<li>
<p>
<strong>wizard</strong> (inspector): inspector that implements port-independent protocol identification
</p>
</li>
<li>
<p>
<strong>wlan</strong> (codec): support for wireless local area network protocol (DLT 105)
</p>
</li>
<li>
<p>
<strong>wscale</strong> (ips_option): detection for TCP window scale
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_plugin_listing">Plugin Listing</h3>
<div class="ulist"><ul>
<li>
<p>
<strong>codec::arp</strong>: support for address resolution protocol
</p>
</li>
<li>
<p>
<strong>codec::auth</strong>: support for IP authentication header
</p>
</li>
<li>
<p>
<strong>codec::bad_proto</strong>: bad protocol id
</p>
</li>
<li>
<p>
<strong>codec::ciscometadata</strong>: support for cisco metadata
</p>
</li>
<li>
<p>
<strong>codec::eapol</strong>: support for extensible authentication protocol over LAN
</p>
</li>
<li>
<p>
<strong>codec::erspan2</strong>: support for encapsulated remote switched port analyzer - type 2
</p>
</li>
<li>
<p>
<strong>codec::erspan3</strong>: support for encapsulated remote switched port analyzer - type 3
</p>
</li>
<li>
<p>
<strong>codec::esp</strong>: support for encapsulating security payload
</p>
</li>
<li>
<p>
<strong>codec::eth</strong>: support for ethernet protocol (DLT 1) (DLT 51)
</p>
</li>
<li>
<p>
<strong>codec::fabricpath</strong>: support for fabricpath
</p>
</li>
<li>
<p>
<strong>codec::gre</strong>: support for generic routing encapsulation
</p>
</li>
<li>
<p>
<strong>codec::gtp</strong>: support for general-packet-radio-service tunneling protocol
</p>
</li>
<li>
<p>
<strong>codec::icmp4</strong>: support for Internet control message protocol v4
</p>
</li>
<li>
<p>
<strong>codec::icmp4_ip</strong>: support for IP in ICMPv4
</p>
</li>
<li>
<p>
<strong>codec::icmp6</strong>: support for Internet control message protocol v6
</p>
</li>
<li>
<p>
<strong>codec::icmp6_ip</strong>: support for IP in ICMPv6
</p>
</li>
<li>
<p>
<strong>codec::igmp</strong>: support for Internet group management protocol
</p>
</li>
<li>
<p>
<strong>codec::ipv4</strong>: support for Internet protocol v4 (DLT 228)
</p>
</li>
<li>
<p>
<strong>codec::ipv6</strong>: support for Internet protocol v6 (DLT 229)
</p>
</li>
<li>
<p>
<strong>codec::ipv6_dst_opts</strong>: support for ipv6 destination options
</p>
</li>
<li>
<p>
<strong>codec::ipv6_frag</strong>: support for IPv6 fragment decoding
</p>
</li>
<li>
<p>
<strong>codec::ipv6_hop_opts</strong>: support for IPv6 hop options
</p>
</li>
<li>
<p>
<strong>codec::ipv6_mobility</strong>: support for mobility
</p>
</li>
<li>
<p>
<strong>codec::ipv6_no_next</strong>: sentinel codec
</p>
</li>
<li>
<p>
<strong>codec::ipv6_routing</strong>: support for IPv6 routing extension
</p>
</li>
<li>
<p>
<strong>codec::linux_sll</strong>: support for Linux SLL (DLT 113)
</p>
</li>
<li>
<p>
<strong>codec::llc</strong>: support for logical link control
</p>
</li>
<li>
<p>
<strong>codec::mpls</strong>: support for multiprotocol label switching
</p>
</li>
<li>
<p>
<strong>codec::null</strong>: support for null encapsulation (DLT 0)
</p>
</li>
<li>
<p>
<strong>codec::pbb</strong>: support for 802.1ah protocol
</p>
</li>
<li>
<p>
<strong>codec::pflog</strong>: support for OpenBSD PF log (DLT 117)
</p>
</li>
<li>
<p>
<strong>codec::pgm</strong>: support for pragmatic general multicast
</p>
</li>
<li>
<p>
<strong>codec::ppp</strong>: support for point-to-point encapsulation (DLT 9)
</p>
</li>
<li>
<p>
<strong>codec::ppp_encap</strong>: support for point-to-point encapsulation
</p>
</li>
<li>
<p>
<strong>codec::pppoe_disc</strong>: support for point-to-point discovery
</p>
</li>
<li>
<p>
<strong>codec::pppoe_sess</strong>: support for point-to-point session
</p>
</li>
<li>
<p>
<strong>codec::raw</strong>: support for raw IP (DLT 12)
</p>
</li>
<li>
<p>
<strong>codec::slip</strong>: support for slip protocol (DLT 8)
</p>
</li>
<li>
<p>
<strong>codec::tcp</strong>: support for transmission control protocol
</p>
</li>
<li>
<p>
<strong>codec::teredo</strong>: support for teredo
</p>
</li>
<li>
<p>
<strong>codec::token_ring</strong>: support for token ring decoding
</p>
</li>
<li>
<p>
<strong>codec::trans_bridge</strong>: support for trans-bridging
</p>
</li>
<li>
<p>
<strong>codec::udp</strong>: support for user datagram protocol
</p>
</li>
<li>
<p>
<strong>codec::user</strong>: support for user sessions (DLT 230)
</p>
</li>
<li>
<p>
<strong>codec::vlan</strong>: support for local area network
</p>
</li>
<li>
<p>
<strong>codec::wlan</strong>: support for wireless local area network protocol (DLT 105)
</p>
</li>
<li>
<p>
<strong>connector::file_connector</strong>: implement the file based connector
</p>
</li>
<li>
<p>
<strong>connector::tcp_connector</strong>: implement the tcp stream connector
</p>
</li>
<li>
<p>
<strong>inspector::appid</strong>: application and service identification
</p>
</li>
<li>
<p>
<strong>inspector::arp_spoof</strong>: detect ARP attacks and anomalies
</p>
</li>
<li>
<p>
<strong>inspector::back_orifice</strong>: back orifice detection
</p>
</li>
<li>
<p>
<strong>inspector::binder</strong>: configure processing based on CIDRs, ports, services, etc.
</p>
</li>
<li>
<p>
<strong>inspector::data_log</strong>: log selected published data to data.log
</p>
</li>
<li>
<p>
<strong>inspector::dce_http_proxy</strong>: dce over http inspection - client to/from proxy
</p>
</li>
<li>
<p>
<strong>inspector::dce_http_server</strong>: dce over http inspection - proxy to/from server
</p>
</li>
<li>
<p>
<strong>inspector::dce_smb</strong>: dce over smb inspection
</p>
</li>
<li>
<p>
<strong>inspector::dce_tcp</strong>: dce over tcp inspection
</p>
</li>
<li>
<p>
<strong>inspector::dce_udp</strong>: dce over udp inspection
</p>
</li>
<li>
<p>
<strong>inspector::dnp3</strong>: dnp3 inspection
</p>
</li>
<li>
<p>
<strong>inspector::dns</strong>: dns inspection
</p>
</li>
<li>
<p>
<strong>inspector::domain_filter</strong>: alert on configured HTTP domains
</p>
</li>
<li>
<p>
<strong>inspector::dpx</strong>: dynamic inspector example
</p>
</li>
<li>
<p>
<strong>inspector::file_id</strong>: configure file identification
</p>
</li>
<li>
<p>
<strong>inspector::file_log</strong>: log file event to file.log
</p>
</li>
<li>
<p>
<strong>inspector::finalize_packet</strong>: handle the finalize packet event
</p>
</li>
<li>
<p>
<strong>inspector::ftp_client</strong>: FTP inspector client module
</p>
</li>
<li>
<p>
<strong>inspector::ftp_data</strong>: FTP data channel handler
</p>
</li>
<li>
<p>
<strong>inspector::ftp_server</strong>: FTP inspector server module
</p>
</li>
<li>
<p>
<strong>inspector::gtp_inspect</strong>: gtp control channel inspection
</p>
</li>
<li>
<p>
<strong>inspector::http2_inspect</strong>: the HTTP/2 inspector
</p>
</li>
<li>
<p>
<strong>inspector::http_inspect</strong>: the new HTTP inspector!
</p>
</li>
<li>
<p>
<strong>inspector::imap</strong>: imap inspection
</p>
</li>
<li>
<p>
<strong>inspector::mem_test</strong>: for testing memory management
</p>
</li>
<li>
<p>
<strong>inspector::modbus</strong>: modbus inspection
</p>
</li>
<li>
<p>
<strong>inspector::normalizer</strong>: packet scrubbing for inline mode
</p>
</li>
<li>
<p>
<strong>inspector::packet_capture</strong>: raw packet dumping facility
</p>
</li>
<li>
<p>
<strong>inspector::perf_monitor</strong>: performance monitoring and flow statistics collection
</p>
</li>
<li>
<p>
<strong>inspector::pop</strong>: pop inspection
</p>
</li>
<li>
<p>
<strong>inspector::port_scan</strong>: detect various ip, icmp, tcp, and udp port or protocol scans
</p>
</li>
<li>
<p>
<strong>inspector::reputation</strong>: reputation inspection
</p>
</li>
<li>
<p>
<strong>inspector::rna</strong>: Real-time network awareness and OS fingerprinting (experimental)
</p>
</li>
<li>
<p>
<strong>inspector::rpc_decode</strong>: RPC inspector
</p>
</li>
<li>
<p>
<strong>inspector::rt_global</strong>: The regression test global inspector is used for regression tests specific to a global inspector
</p>
</li>
<li>
<p>
<strong>inspector::rt_packet</strong>: The regression test packet inspector is used when special packet handling is required for a reg test
</p>
</li>
<li>
<p>
<strong>inspector::rt_service</strong>: The regression test service inspector is used by regression tests that require custom service inspector support.
</p>
</li>
<li>
<p>
<strong>inspector::sip</strong>: sip inspection
</p>
</li>
<li>
<p>
<strong>inspector::smtp</strong>: smtp inspection
</p>
</li>
<li>
<p>
<strong>inspector::ssh</strong>: ssh inspection
</p>
</li>
<li>
<p>
<strong>inspector::ssl</strong>: ssl inspection
</p>
</li>
<li>
<p>
<strong>inspector::stream</strong>: common flow tracking
</p>
</li>
<li>
<p>
<strong>inspector::stream_file</strong>: stream inspector for file flow tracking and processing
</p>
</li>
<li>
<p>
<strong>inspector::stream_icmp</strong>: stream inspector for ICMP flow tracking
</p>
</li>
<li>
<p>
<strong>inspector::stream_ip</strong>: stream inspector for IP flow tracking and defragmentation
</p>
</li>
<li>
<p>
<strong>inspector::stream_tcp</strong>: stream inspector for TCP flow tracking and stream normalization and reassembly
</p>
</li>
<li>
<p>
<strong>inspector::stream_udp</strong>: stream inspector for UDP flow tracking
</p>
</li>
<li>
<p>
<strong>inspector::stream_user</strong>: stream inspector for user flow tracking and reassembly
</p>
</li>
<li>
<p>
<strong>inspector::telnet</strong>: telnet inspection and normalization
</p>
</li>
<li>
<p>
<strong>inspector::wizard</strong>: inspector that implements port-independent protocol identification
</p>
</li>
<li>
<p>
<strong>ips_action::react</strong>: send response to client and terminate session
</p>
</li>
<li>
<p>
<strong>ips_action::reject</strong>: terminate session with TCP reset or ICMP unreachable
</p>
</li>
<li>
<p>
<strong>ips_action::rewrite</strong>: overwrite packet contents
</p>
</li>
<li>
<p>
<strong>ips_option::ack</strong>: rule option to match on TCP ack numbers
</p>
</li>
<li>
<p>
<strong>ips_option::appids</strong>: detection option for application ids
</p>
</li>
<li>
<p>
<strong>ips_option::asn1</strong>: rule option for asn1 detection
</p>
</li>
<li>
<p>
<strong>ips_option::base64_data</strong>: set detection cursor to decoded Base64 data
</p>
</li>
<li>
<p>
<strong>ips_option::base64_decode</strong>: rule option to decode base64 data - must be used with base64_data option
</p>
</li>
<li>
<p>
<strong>ips_option::ber_data</strong>: rule option to move to the data for a specified BER element
</p>
</li>
<li>
<p>
<strong>ips_option::ber_skip</strong>: rule option to skip BER element
</p>
</li>
<li>
<p>
<strong>ips_option::bufferlen</strong>: rule option to check length of current buffer
</p>
</li>
<li>
<p>
<strong>ips_option::byte_extract</strong>: rule option to convert data to an integer variable
</p>
</li>
<li>
<p>
<strong>ips_option::byte_jump</strong>: rule option to move the detection cursor
</p>
</li>
<li>
<p>
<strong>ips_option::byte_math</strong>: rule option to perform mathematical operations on extracted value and a specified value or existing variable
</p>
</li>
<li>
<p>
<strong>ips_option::byte_test</strong>: rule option to convert data to integer and compare
</p>
</li>
<li>
<p>
<strong>ips_option::classtype</strong>: general rule option for rule classification
</p>
</li>
<li>
<p>
<strong>ips_option::content</strong>: payload rule option for basic pattern matching
</p>
</li>
<li>
<p>
<strong>ips_option::cvs</strong>: payload rule option for detecting specific attacks
</p>
</li>
<li>
<p>
<strong>ips_option::dce_iface</strong>: detection option to check dcerpc interface
</p>
</li>
<li>
<p>
<strong>ips_option::dce_opnum</strong>: detection option to check dcerpc operation number
</p>
</li>
<li>
<p>
<strong>ips_option::dce_stub_data</strong>: sets the cursor to dcerpc stub data
</p>
</li>
<li>
<p>
<strong>ips_option::detection_filter</strong>: rule option to require multiple hits before a rule generates an event
</p>
</li>
<li>
<p>
<strong>ips_option::dnp3_data</strong>: sets the cursor to dnp3 data
</p>
</li>
<li>
<p>
<strong>ips_option::dnp3_func</strong>: detection option to check DNP3 function code
</p>
</li>
<li>
<p>
<strong>ips_option::dnp3_ind</strong>: detection option to check DNP3 indicator flags
</p>
</li>
<li>
<p>
<strong>ips_option::dnp3_obj</strong>: detection option to check DNP3 object headers
</p>
</li>
<li>
<p>
<strong>ips_option::dsize</strong>: rule option to test payload size
</p>
</li>
<li>
<p>
<strong>ips_option::file_data</strong>: rule option to set detection cursor to file data
</p>
</li>
<li>
<p>
<strong>ips_option::file_type</strong>: rule option to check file type
</p>
</li>
<li>
<p>
<strong>ips_option::flags</strong>: rule option to test TCP control flags
</p>
</li>
<li>
<p>
<strong>ips_option::flow</strong>: rule option to check session properties
</p>
</li>
<li>
<p>
<strong>ips_option::flowbits</strong>: rule option to set and test arbitrary boolean flags
</p>
</li>
<li>
<p>
<strong>ips_option::fragbits</strong>: rule option to test IP frag flags
</p>
</li>
<li>
<p>
<strong>ips_option::fragoffset</strong>: rule option to test IP frag offset
</p>
</li>
<li>
<p>
<strong>ips_option::gid</strong>: rule option specifying rule generator
</p>
</li>
<li>
<p>
<strong>ips_option::gtp_info</strong>: rule option to check gtp info element
</p>
</li>
<li>
<p>
<strong>ips_option::gtp_type</strong>: rule option to check gtp types
</p>
</li>
<li>
<p>
<strong>ips_option::gtp_version</strong>: rule option to check GTP version
</p>
</li>
<li>
<p>
<strong>ips_option::http2_decoded_header</strong>: rule option to set detection cursor to the decoded HTTP/2 header
</p>
</li>
<li>
<p>
<strong>ips_option::http2_frame_data</strong>: rule option to set detection cursor to the HTTP/2 frame body
</p>
</li>
<li>
<p>
<strong>ips_option::http2_frame_header</strong>: rule option to set detection cursor to the 9-octet HTTP/2 frame header
</p>
</li>
<li>
<p>
<strong>ips_option::http_client_body</strong>: rule option to set the detection cursor to the request body
</p>
</li>
<li>
<p>
<strong>ips_option::http_cookie</strong>: rule option to set the detection cursor to the HTTP cookie
</p>
</li>
<li>
<p>
<strong>ips_option::http_header</strong>: rule option to set the detection cursor to the normalized headers
</p>
</li>
<li>
<p>
<strong>ips_option::http_method</strong>: rule option to set the detection cursor to the HTTP request method
</p>
</li>
<li>
<p>
<strong>ips_option::http_raw_body</strong>: rule option to set the detection cursor to the unnormalized message body
</p>
</li>
<li>
<p>
<strong>ips_option::http_raw_cookie</strong>: rule option to set the detection cursor to the unnormalized cookie
</p>
</li>
<li>
<p>
<strong>ips_option::http_raw_header</strong>: rule option to set the detection cursor to the unnormalized headers
</p>
</li>
<li>
<p>
<strong>ips_option::http_raw_request</strong>: rule option to set the detection cursor to the unnormalized request line
</p>
</li>
<li>
<p>
<strong>ips_option::http_raw_status</strong>: rule option to set the detection cursor to the unnormalized status line
</p>
</li>
<li>
<p>
<strong>ips_option::http_raw_trailer</strong>: rule option to set the detection cursor to the unnormalized trailers
</p>
</li>
<li>
<p>
<strong>ips_option::http_raw_uri</strong>: rule option to set the detection cursor to the unnormalized URI
</p>
</li>
<li>
<p>
<strong>ips_option::http_stat_code</strong>: rule option to set the detection cursor to the HTTP status code
</p>
</li>
<li>
<p>
<strong>ips_option::http_stat_msg</strong>: rule option to set the detection cursor to the HTTP status message
</p>
</li>
<li>
<p>
<strong>ips_option::http_trailer</strong>: rule option to set the detection cursor to the normalized trailers
</p>
</li>
<li>
<p>
<strong>ips_option::http_true_ip</strong>: rule option to set the detection cursor to the final client IP address
</p>
</li>
<li>
<p>
<strong>ips_option::http_uri</strong>: rule option to set the detection cursor to the normalized URI buffer
</p>
</li>
<li>
<p>
<strong>ips_option::http_version</strong>: rule option to set the detection cursor to the version buffer
</p>
</li>
<li>
<p>
<strong>ips_option::icmp_id</strong>: rule option to check ICMP ID
</p>
</li>
<li>
<p>
<strong>ips_option::icmp_seq</strong>: rule option to check ICMP sequence number
</p>
</li>
<li>
<p>
<strong>ips_option::icode</strong>: rule option to check ICMP code
</p>
</li>
<li>
<p>
<strong>ips_option::id</strong>: rule option to check the IP ID field
</p>
</li>
<li>
<p>
<strong>ips_option::ip_proto</strong>: rule option to check the IP protocol number
</p>
</li>
<li>
<p>
<strong>ips_option::ipopts</strong>: rule option to check for IP options
</p>
</li>
<li>
<p>
<strong>ips_option::isdataat</strong>: rule option to check for the presence of payload data
</p>
</li>
<li>
<p>
<strong>ips_option::itype</strong>: rule option to check ICMP type
</p>
</li>
<li>
<p>
<strong>ips_option::md5</strong>: payload rule option for hash matching
</p>
</li>
<li>
<p>
<strong>ips_option::metadata</strong>: rule option for conveying arbitrary name, value data within the rule text
</p>
</li>
<li>
<p>
<strong>ips_option::modbus_data</strong>: rule option to set cursor to modbus data
</p>
</li>
<li>
<p>
<strong>ips_option::modbus_func</strong>: rule option to check modbus function code
</p>
</li>
<li>
<p>
<strong>ips_option::modbus_unit</strong>: rule option to check Modbus unit ID
</p>
</li>
<li>
<p>
<strong>ips_option::msg</strong>: rule option summarizing rule purpose output with events
</p>
</li>
<li>
<p>
<strong>ips_option::mss</strong>: detection for TCP maximum segment size
</p>
</li>
<li>
<p>
<strong>ips_option::pcre</strong>: rule option for matching payload data with pcre
</p>
</li>
<li>
<p>
<strong>ips_option::pkt_data</strong>: rule option to set the detection cursor to the normalized packet data
</p>
</li>
<li>
<p>
<strong>ips_option::pkt_num</strong>: alert on raw packet number
</p>
</li>
<li>
<p>
<strong>ips_option::priority</strong>: rule option for prioritizing events
</p>
</li>
<li>
<p>
<strong>ips_option::raw_data</strong>: rule option to set the detection cursor to the raw packet data
</p>
</li>
<li>
<p>
<strong>ips_option::reference</strong>: rule option to indicate relevant attack identification system
</p>
</li>
<li>
<p>
<strong>ips_option::regex</strong>: rule option for matching payload data with hyperscan regex
</p>
</li>
<li>
<p>
<strong>ips_option::rem</strong>: rule option to convey an arbitrary comment in the rule body
</p>
</li>
<li>
<p>
<strong>ips_option::replace</strong>: rule option to overwrite payload data; use with rewrite action
</p>
</li>
<li>
<p>
<strong>ips_option::rev</strong>: rule option to indicate current revision of signature
</p>
</li>
<li>
<p>
<strong>ips_option::rpc</strong>: rule option to check SUNRPC CALL parameters
</p>
</li>
<li>
<p>
<strong>ips_option::sd_pattern</strong>: rule option for detecting sensitive data
</p>
</li>
<li>
<p>
<strong>ips_option::seq</strong>: rule option to check TCP sequence number
</p>
</li>
<li>
<p>
<strong>ips_option::service</strong>: rule option to specify list of services for grouping rules
</p>
</li>
<li>
<p>
<strong>ips_option::session</strong>: rule option to check user data from TCP sessions
</p>
</li>
<li>
<p>
<strong>ips_option::sha256</strong>: payload rule option for hash matching
</p>
</li>
<li>
<p>
<strong>ips_option::sha512</strong>: payload rule option for hash matching
</p>
</li>
<li>
<p>
<strong>ips_option::sid</strong>: rule option to indicate signature number
</p>
</li>
<li>
<p>
<strong>ips_option::sip_body</strong>: rule option to set the detection cursor to the request body
</p>
</li>
<li>
<p>
<strong>ips_option::sip_header</strong>: rule option to set the detection cursor to the SIP header buffer
</p>
</li>
<li>
<p>
<strong>ips_option::sip_method</strong>: detection option for sip stat code
</p>
</li>
<li>
<p>
<strong>ips_option::sip_stat_code</strong>: detection option for sip stat code
</p>
</li>
<li>
<p>
<strong>ips_option::so</strong>: rule option to call custom eval function
</p>
</li>
<li>
<p>
<strong>ips_option::soid</strong>: rule option to specify a shared object rule ID
</p>
</li>
<li>
<p>
<strong>ips_option::ssl_state</strong>: detection option for ssl state
</p>
</li>
<li>
<p>
<strong>ips_option::ssl_version</strong>: detection option for ssl version
</p>
</li>
<li>
<p>
<strong>ips_option::stream_reassemble</strong>: detection option for stream reassembly control
</p>
</li>
<li>
<p>
<strong>ips_option::stream_size</strong>: detection option for stream size checking
</p>
</li>
<li>
<p>
<strong>ips_option::tag</strong>: rule option to log additional packets
</p>
</li>
<li>
<p>
<strong>ips_option::target</strong>: rule option to indicate target of attack
</p>
</li>
<li>
<p>
<strong>ips_option::tos</strong>: rule option to check type of service field
</p>
</li>
<li>
<p>
<strong>ips_option::ttl</strong>: rule option to check time to live field
</p>
</li>
<li>
<p>
<strong>ips_option::urg</strong>: detection for TCP urgent pointer
</p>
</li>
<li>
<p>
<strong>ips_option::window</strong>: rule option to check TCP window field
</p>
</li>
<li>
<p>
<strong>ips_option::wscale</strong>: detection for TCP window scale
</p>
</li>
<li>
<p>
<strong>logger::alert_csv</strong>: output event in csv format
</p>
</li>
<li>
<p>
<strong>logger::alert_ex</strong>: output gid:sid:rev for alerts
</p>
</li>
<li>
<p>
<strong>logger::alert_fast</strong>: output event with brief text format
</p>
</li>
<li>
<p>
<strong>logger::alert_full</strong>: output event with full packet dump
</p>
</li>
<li>
<p>
<strong>logger::alert_json</strong>: output event in json format
</p>
</li>
<li>
<p>
<strong>logger::alert_sfsocket</strong>: output event over socket
</p>
</li>
<li>
<p>
<strong>logger::alert_syslog</strong>: output event to syslog
</p>
</li>
<li>
<p>
<strong>logger::alert_talos</strong>: output event in Talos alert format
</p>
</li>
<li>
<p>
<strong>logger::alert_unixsock</strong>: output event over unix socket
</p>
</li>
<li>
<p>
<strong>logger::log_codecs</strong>: log protocols in packet by layer
</p>
</li>
<li>
<p>
<strong>logger::log_hext</strong>: output payload suitable for daq hext
</p>
</li>
<li>
<p>
<strong>logger::log_null</strong>: disable logging of packets
</p>
</li>
<li>
<p>
<strong>logger::log_pcap</strong>: log packet in pcap format
</p>
</li>
<li>
<p>
<strong>logger::unified2</strong>: output event and packet in unified2 format file
</p>
</li>
<li>
<p>
<strong>search_engine::ac_banded</strong>: Aho-Corasick Banded (high memory, moderate performance)
</p>
</li>
<li>
<p>
<strong>search_engine::ac_bnfa</strong>: Aho-Corasick Binary NFA (low memory, high performance) MPSE
</p>
</li>
<li>
<p>
<strong>search_engine::ac_full</strong>: Aho-Corasick Full (high memory, best performance), implements search_all()
</p>
</li>
<li>
<p>
<strong>search_engine::ac_sparse</strong>: Aho-Corasick Sparse (high memory, moderate performance) MPSE
</p>
</li>
<li>
<p>
<strong>search_engine::ac_sparse_bands</strong>: Aho-Corasick Sparse-Banded (high memory, moderate performance) MPSE
</p>
</li>
<li>
<p>
<strong>search_engine::ac_std</strong>: Aho-Corasick Full (high memory, best performance) MPSE
</p>
</li>
<li>
<p>
<strong>search_engine::hyperscan</strong>: intel hyperscan-based mpse with regex support
</p>
</li>
<li>
<p>
<strong>search_engine::lowmem</strong>: Keyword Trie (low memory, moderate performance) MPSE
</p>
</li>
<li>
<p>
<strong>so_rule::3|18758</strong>: SO rule example
</p>
</li>
</ul></div>
</div>
<div class="sect2">
<h3 id="_limitations">Limitations</h3>
<div class="sect3">
<h4 id="_reload_limitations">Reload limitations</h4>
<div class="paragraph"><p>The following parameters can&#8217;t be changed during reload, and require a restart:</p></div>
<div class="ulist"><ul>
<li>
<p>
active.attempts
</p>
</li>
<li>
<p>
active.device
</p>
</li>
<li>
<p>
alerts.detection_filter_memcap
</p>
</li>
<li>
<p>
alerts.event_filter_memcap
</p>
</li>
<li>
<p>
alerts.rate_filter_memcap
</p>
</li>
<li>
<p>
attribute_table.max_hosts
</p>
</li>
<li>
<p>
attribute_table.max_services_per_host
</p>
</li>
<li>
<p>
daq.snaplen
</p>
</li>
<li>
<p>
daq.no_promisc
</p>
</li>
<li>
<p>
detection.asn1
</p>
</li>
<li>
<p>
file_id.max_files_cached
</p>
</li>
<li>
<p>
port_scan.memcap
</p>
</li>
<li>
<p>
process.chroot
</p>
</li>
<li>
<p>
process.daemon
</p>
</li>
<li>
<p>
process.set_gid
</p>
</li>
<li>
<p>
process.set_uid
</p>
</li>
<li>
<p>
stream.footprint
</p>
</li>
<li>
<p>
stream.ip_cache.max_sessions
</p>
</li>
<li>
<p>
stream.ip_cache.pruning_timeout
</p>
</li>
<li>
<p>
stream.ip_cache.idle_timeout
</p>
</li>
<li>
<p>
stream.icmp_cache.max_sessions
</p>
</li>
<li>
<p>
stream.icmp_cache.pruning_timeout
</p>
</li>
<li>
<p>
stream.icmp_cache.idle_timeout
</p>
</li>
<li>
<p>
stream.tcp_cache.max_sessions
</p>
</li>
<li>
<p>
stream.tcp_cache.pruning_timeout
</p>
</li>
<li>
<p>
stream.tcp_cache.idle_timeout
</p>
</li>
<li>
<p>
stream.udp_cache.max_sessions
</p>
</li>
<li>
<p>
stream.udp_cache.pruning_timeout
</p>
</li>
<li>
<p>
stream.udp_cache.idle_timeout
</p>
</li>
<li>
<p>
stream.user_cache.max_sessions
</p>
</li>
<li>
<p>
stream.user_cache.pruning_timeout
</p>
</li>
<li>
<p>
stream.user_cache.idle_timeout
</p>
</li>
<li>
<p>
stream.file_cache.max_sessions
</p>
</li>
<li>
<p>
stream.file_cache.pruning_timeout
</p>
</li>
<li>
<p>
stream.file_cache.idle_timeout
</p>
</li>
</ul></div>
<div class="paragraph"><p>In addition, the following scenarios require a restart:</p></div>
<div class="ulist"><ul>
<li>
<p>
Enabling file capture for the first time
</p>
</li>
<li>
<p>
Changing file_id.capture_memcap if file capture was previously or currently
 enabled
</p>
</li>
<li>
<p>
Changing file_id.capture_block_size if file capture was previously or
 currently enabled
</p>
</li>
<li>
<p>
Adding/removing stream_* inspectors if stream was already configured
</p>
</li>
</ul></div>
<div class="paragraph"><p>In all of these cases reload will fail with the following message: "reload
 failed - restart required". The original config will remain in use.</p></div>
</div>
</div>
</div>
</div>
</div>
<div id="footnotes"><hr /></div>
<div id="footer">
<div id="footer-text">
Last updated
 2019-09-12 19:44:55 EDT
</div>
</div>
</body>
</html>
